Re: no-strong-digests-in-dsc MBF

To: Stuart Prescott <stuart@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: no-strong-digests-in-dsc MBF
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Wed, 18 Jan 2017 00:39:40 +0000
Message-id: <[🔎] 22654.47436.569852.268046@chiark.greenend.org.uk>
In-reply-to: <[🔎] o5m8h1$ott$1@blaine.gmane.org>
References: <[🔎] 20170117215316.lqbnnqw7a6zrovcp@localhost> <[🔎] o5m8h1$ott$1@blaine.gmane.org>

Stuart Prescott writes ("Re: no-strong-digests-in-dsc MBF"):
> Given the hashes aren't used within Debian and can't be used reliably by 
> external parties either, it doesn't feel like a good use of anyone's time.

dgit uses the hashes in the .dsc, both during `dgit fetch' and during
`dgit import-dsc'.  Sponsorship workflows sometimes involve exchanging
or signing only .dscs.

But: I agree that this is not a release-critical bug.  For old .dsc's
(I assume we're not generating new ones) the security requirement is
second preimage resistance for old documents.  I think for .dscs this
will be OK for a while yet.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

References:
- no-strong-digests-in-dsc MBF
  - From: Adrian Bunk <bunk@debian.org>
- Re: no-strong-digests-in-dsc MBF
  - From: Stuart Prescott <stuart@debian.org>

Prev by Date: Re: no-strong-digests-in-dsc MBF
Next by Date: Re: Auto reject if autopkgtest of reverse dependencies fail or cause FTBFS
Previous by thread: Re: no-strong-digests-in-dsc MBF
Next by thread: Re: no-strong-digests-in-dsc MBF
Index(es):
- Date
- Thread