[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)




On 01/22/2017 10:49 AM, Philipp Kern wrote:
> On 22.01.2017 00:17, Holger Levsen wrote:
>> We really ought to do the same. I'm all for keeping sha1+sha256, but
>> please let's *completely* drop md5sums for buster.
> 
> We already dropped SHA1, FWIW, so it's md5+sha256. And again, the Oracle
> announcement was about MD5-only, so isn't relevant to the discussion.
> 
> I do sympathize with the "drop md5sum to see what breaks". But that's a
> discussion for after the release. And how you formulate your argument
> does not help your case.

afaik people are criticizing that there are still (only) md5sum files in
/var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make
sense to replace them.
(yes, dpkg is not an IDS, but better than nothing...).


-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F


Reply to: