[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: no-strong-digests-in-dsc MBF

Stuart Prescott writes ("Re: no-strong-digests-in-dsc MBF"):
> Given the hashes aren't used within Debian and can't be used reliably by 
> external parties either, it doesn't feel like a good use of anyone's time.

dgit uses the hashes in the .dsc, both during `dgit fetch' and during
`dgit import-dsc'.  Sponsorship workflows sometimes involve exchanging
or signing only .dscs.

But: I agree that this is not a release-critical bug.  For old .dsc's
(I assume we're not generating new ones) the security requirement is
second preimage resistance for old documents.  I think for .dscs this
will be OK for a while yet.


Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to: