Re: Archive changes
Hi!
On Tue, 2016-03-15 at 15:32:40 -0700, Josh Triplett wrote:
> On Tue, Mar 15, 2016 at 11:15:16PM +0100, Joerg Jaspert wrote:
> > I've just activated a few changes to the archive we talk(ed) about for a
> > long time. And while it is not exactly the start of this release cycle,
> > it should still work out nicely (so one hopes).
> >
> > As of now, InRelease/Release files, Packages and Sources no longer
> > provide MD5Sum and SHA1sums, only SHA256.
> >
> > Additionally I turned off generating gzip compressed versions of those
> > files, xz is there.
>
> In addition to the security improvement,
The only way this might possibly improve security is by perhaps flushing
out things that rely exclusively on weak hashes, once these start to fail.
Otherwise reducing the amount of hashes is not a security improvement.
Increased security is what apt is doing now, which will validate all the
hashes but consider weak ones not sufficient to consider the repo secure.
> a quick analysis on
> binary-amd64 shows that this will reduce the size of Packages for
> binary-amd64 from 39MB to 35MB (uncompressed), and the size of the
> xz-compressed version from 7.9MB to 5.9MB. Very nice!
While the space reduction is nice…
> That also helps reduce the impact and overhead of adding additional
> binary packages.
…I get the feeling you seem to be fixated on the metadata as the only
problem with an explosion of additional binary packages (tiny or not).
As I've commented on before, metadata size is just a tiny part of the
overhead for a package introduced into the system:
<https://lists.debian.org/debian-devel/2015/09/msg00141.html>
Thanks,
Guillem
Reply to: