Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
David Kalnischkies wrote:
>On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise <firstname.lastname@example.org> wrote:
>> If so, here is the list of software that probably needs updating:
>> derivatives census
>Also, apt-get is forcing MD5 in --print-uris by default because not doing
>it used to break all kinds of scripts. I think jigdo was one of them,
>no idea if that is really the case and/or if this changed by now.
>(not saying they shouldn't be fixed, just that the list is probably longer)
jigdo and debian-cd both use MD5 for tracking and indexing files -
debian-cd uses them to assist in generating jigdo files and also as a
verification of archive contents as images are built. There should be
no security implications in either case as more/stronger checksums are
used for verifying the complete images. Changing jigdo to use a
different checksum would not be impossible, but very involved and I'm
not really convinced it would be worth it.
Steve McIntyre, Cambridge, UK. email@example.com
Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/