Re: Archive changes
Guillem Jover wrote:
> On Tue, 2016-03-15 at 15:32:40 -0700, Josh Triplett wrote:
> > On Tue, Mar 15, 2016 at 11:15:16PM +0100, Joerg Jaspert wrote:
> > > I've just activated a few changes to the archive we talk(ed) about for a
> > > long time. And while it is not exactly the start of this release cycle,
> > > it should still work out nicely (so one hopes).
> > >
> > > As of now, InRelease/Release files, Packages and Sources no longer
> > > provide MD5Sum and SHA1sums, only SHA256.
> > >
> > > Additionally I turned off generating gzip compressed versions of those
> > > files, xz is there.
> >
> > In addition to the security improvement,
>
> The only way this might possibly improve security is by perhaps flushing
> out things that rely exclusively on weak hashes, once these start to fail.
That was what I meant, yes.
> > a quick analysis on
> > binary-amd64 shows that this will reduce the size of Packages for
> > binary-amd64 from 39MB to 35MB (uncompressed), and the size of the
> > xz-compressed version from 7.9MB to 5.9MB. Very nice!
>
> While the space reduction is nice…
>
> > That also helps reduce the impact and overhead of adding additional
> > binary packages.
>
> …I get the feeling you seem to be fixated on the metadata as the only
> problem with an explosion of additional binary packages (tiny or not).
Not at all. I just said "helps reduce"; this is one of *many* changes
that would need to happen. I'm happy to see any reduction in overhead.
> As I've commented on before, metadata size is just a tiny part of the
> overhead for a package introduced into the system:
>
> <https://lists.debian.org/debian-devel/2015/09/msg00141.html>
This is something I'm quite familiar with as well; I've reviewed many of
the various sources of overhead previously:
https://lists.debian.org/debian-devel/2015/11/msg00008.html .
Reply to: