Re: please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)
On 01/22/2017 10:49 AM, Philipp Kern wrote:
> On 22.01.2017 00:17, Holger Levsen wrote:
>> We really ought to do the same. I'm all for keeping sha1+sha256, but
>> please let's *completely* drop md5sums for buster.
> We already dropped SHA1, FWIW, so it's md5+sha256. And again, the Oracle
> announcement was about MD5-only, so isn't relevant to the discussion.
> I do sympathize with the "drop md5sum to see what breaks". But that's a
> discussion for after the release. And how you formulate your argument
> does not help your case.
afaik people are criticizing that there are still (only) md5sum files in
/var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make
sense to replace them.
(yes, dpkg is not an IDS, but better than nothing...).
Bernd Zeimetz Debian GNU/Linux Developer
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F