[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?

David Kalnischkies wrote:
>On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise <pabs@debian.org> wrote:
>> If so, here is the list of software that probably needs updating:
>> dak
>> apt/apt-ftparchive
>> reprepro
>> launchpad
>> dpkg-dev
>> devscripts
>> derivatives census
>Also, apt-get is forcing MD5 in --print-uris by default because not doing
>it used to break all kinds of scripts. I think jigdo was one of them,
>no idea if that is really the case and/or if this changed by now.
>(not saying they shouldn't be fixed, just that the list is probably longer)

jigdo and debian-cd both use MD5 for tracking and indexing files -
debian-cd uses them to assist in generating jigdo files and also as a
verification of archive contents as images are built. There should be
no security implications in either case as more/stronger checksums are
used for verifying the complete images. Changing jigdo to use a
different checksum would not be impossible, but very involved and I'm
not really convinced it would be worth it.

Steve McIntyre, Cambridge, UK.                                steve@einval.com
Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/

Reply to: