[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's shrink Packages.xz

On Mon, Jul 14, 2014 at 12:26:30PM -0500, Jeff Epler wrote:
> actually used by current versions of apt. (ideally you'd just go sha256,
> but iirc it's the md5sum that is used in practice, even today.  but
> please find that thread, don't trust my summary)

- apt-get --print-uris defaults to MD5 by default as there at least were
  clients expecting exactly that. jigdo given in the bugreport leading
  to this default for the time being (#576420). If that is still the
  case, who knows? In the last iteration the thread "mysteriously" died
  after I mentioned that we need someone who checks… If you don't like
  the default: -o Acquire::ForceHash=<hash you wanna force>  Still up
  for takers of course, but I am not holding my breath…
- pdiffs index is a SHA1-only fileformat at the moment
- Description-md5 is not security related, it just needed for mapping,
  so using something "stronger" would be non-sense. Something "weaker"
  would equally work, but that might be a way to ugly transition.
- apt-get source uses MD5 at the moment in all released versions,
  I guess other clients might as well as the fieldname is super handy…
  (and for us it is also an abi-breaking change)
- "the rest" uses the first hash it can find out of SHA512, 256, 1 and
  MD5 (checking in the order given here, not the order presented in the
  file). Check for yourself if you really care at which point which one
  was added… –– modulo all the bugs included of course.

The later two change in the yet-to-be finished version currently
residing in experimental in so far as that 'source' stops relying on the
"Files" field alone and that certain cases in the code will do an
all-known hashes comparison instead of best-only (it's difficult to
explain which ones these are without expecting a good understanding of
how files are acquired by apt, so I go with a "each time we can do it
for free" which is surprisingly often 'thanks' to our architecture).

Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

Reply to: