Re: Archive changes

[Joerg Jaspert <joerg@ganneff.de>]

Am 2016-03-16 01:20, schrieb Steve McIntyre:

> > I've just activated a few changes to the archive we talk(ed) about for 
> > a
> > long time. And while it is not exactly the start of this release 
> > cycle,
> > it should still work out nicely (so one hopes).
> > As of now, InRelease/Release files, Packages and Sources no longer
> > provide MD5Sum and SHA1sums, only SHA256.
> That (Packages and Sources) will break jigdo generation for debian-cd
> (and hence all CD/DVD/BD builds). We can't fix this easily in a short
> timescale - current released jigdo clients (both in Debian and
> externally) use md5 internally to reference files in the archive. Not
> as a *security* feature; this is the core design of jigdo.

Brrrr.

If it really turns out that this is unchangeable for now - the code is
flexible enough to allow to freely select checksum types by suite, so
md5 could be turned on for a suite too. Without getting sha1 back.
(Its written so that it can simply support any checksum apt_pkg 
supports).

Im not sure we *want* to support that, at least for sure not for more 
than stretch, but we could.

> > Additionally I turned off generating gzip compressed versions of those
> > files, xz is there.
> And that will break various other parts of debian-cd.

Question is how hard a change of a compression tool is there.

> > To test it, this is limited to experimental. We hope nothing breaks on 
> > it,
> > but lets try for a few days. If that works out, we should adjust
> > unstable, and another short time later coordinate with the release 
> > team
> > to adjust testing, so it ends up in the next release.
> Please, no. We need more time than that to fix things up.

Its not like its an entirely new idea to do this.
How much?


Also, from reading the current replies, noone has a problem with 
removing sha1, so that one seems a set thing. md5 and gz files removals 
make people more happy.

--
bye Joerg