Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
* Paul Wise <pabs@debian.org> [130802 15:54]:
> > In any case, removing md5 support seems like a bad idea to me right
> > now, as older software might not have been adapted to check the other
> > hashes, or would imply breaking the current .dsc and ,changes formats,
> > as the Files field uses md5.
>
> We've had SHA1 since before snapshot.d.o data started (2005), I would
> guess any relevant software would have been updated in the last 8
> years.
In 2008 ubuntu had Sha256Sums wrong which showed that back then almost
not software even bothered to check those fields:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/243630
non-md5sum hashses in Sources generated by DAK were incomplete until
the generation code moved away from apt-ftparchive (early 2011 I think),
thus only the Files: part with md5sums was the only reliable way to get
the list of all files belonging to it.
Support for non-md5sum hashes was added to dpkg-scansources/apt-ftparchive
with apt (0.7.25.3) released to unstable 2010-02-01, first released with
squeeze.
So it is not some 8 years. It is more "since squeeze" that Debian and
some of the common tools even produce complete non-md5sum hashes in
Sources indices.
reprepro for example only tries to support source indices without
"Files" (i.e. md5sum hashes) since 4.12.0 (i.e. since wheezy).
Bernhard R. Link
Reply to: