[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: no-strong-digests-in-dsc MBF

On 19.01.2017 14:27, Holger Levsen wrote:
> On Wed, Jan 18, 2017 at 10:14:46AM +1100, Stuart Prescott wrote:
>> The hashes inside the .dsc file are not used in Debian once the package has 
>> been accepted by dak. 
>> * The trustable way of getting the source package is with apt-get source, 
>> when apt verifies the Release signature → hashes → Sources → hashes for each 
>> part of the source package: dsc, orig.tar.gz, diff.gz/diff.tar.xz
> so this "trustable" way of getting the source packages relies on a piece
> of software, dak, running 24/365 on a machine (administrated by some
> volunteers in their free time) on the internet, to not to be compromised?
> I'm not sure I can really trust this very much.

AIUI we never exported the .changes files either, which would have
allowed an independent party to check if the files inserted came from a
developer or not.

> (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long
> do we want to be joked about?)

I'm not sure why you say this. More than one hash is strictly better
than just one. They are bad for bandwidth, sure. But I don't think the
way they are used right now can be used for jokes except by quite
ignorant people.

Kind regards
Philipp Kern

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: