[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: no-strong-digests-in-dsc MBF

On Wed, Jan 18, 2017 at 10:14:46AM +1100, Stuart Prescott wrote:
> The hashes inside the .dsc file are not used in Debian once the package has 
> been accepted by dak. 
> * The trustable way of getting the source package is with apt-get source, 
> when apt verifies the Release signature → hashes → Sources → hashes for each 
> part of the source package: dsc, orig.tar.gz, diff.gz/diff.tar.xz

so this "trustable" way of getting the source packages relies on a piece
of software, dak, running 24/365 on a machine (administrated by some
volunteers in their free time) on the internet, to not to be compromised?

I'm not sure I can really trust this very much.
> * The not-really-trustable way of getting the source package is with "dget 
> http://.../package.dsc";. Using the dsc directly, dget will check the 
> signature on the dsc and check the hashes.

I'd really like to see strong hashes used here.

(and btw, let's drop md5sums for buster, "maybe", _completly_, or how long
do we want to be joked about?)


Attachment: signature.asc
Description: Digital signature

Reply to: