On Mon, Jul 14, 2014 at 12:26:30PM -0500, Jeff Epler wrote: > actually used by current versions of apt. (ideally you'd just go sha256, > but iirc it's the md5sum that is used in practice, even today. but > please find that thread, don't trust my summary) - apt-get --print-uris defaults to MD5 by default as there at least were clients expecting exactly that. jigdo given in the bugreport leading to this default for the time being (#576420). If that is still the case, who knows? In the last iteration the thread "mysteriously" died after I mentioned that we need someone who checks… If you don't like the default: -o Acquire::ForceHash=<hash you wanna force> Still up for takers of course, but I am not holding my breath… - pdiffs index is a SHA1-only fileformat at the moment - Description-md5 is not security related, it just needed for mapping, so using something "stronger" would be non-sense. Something "weaker" would equally work, but that might be a way to ugly transition. - apt-get source uses MD5 at the moment in all released versions, I guess other clients might as well as the fieldname is super handy… (and for us it is also an abi-breaking change) - "the rest" uses the first hash it can find out of SHA512, 256, 1 and MD5 (checking in the order given here, not the order presented in the file). Check for yourself if you really care at which point which one was added… –– modulo all the bugs included of course. The later two change in the yet-to-be finished version currently residing in experimental in so far as that 'source' stops relying on the "Files" field alone and that certain cases in the code will do an all-known hashes comparison instead of best-only (it's difficult to explain which ones these are without expecting a good understanding of how files are acquired by apt, so I go with a "each time we can do it for free" which is surprisingly often 'thanks' to our architecture). Best regards David Kalnischkies
Attachment:
signature.asc
Description: Digital signature