Re: git & Debian packaging sprint report

To: debian-devel@lists.debian.org
Subject: Re: git & Debian packaging sprint report
From: Russ Allbery <rra@debian.org>
Date: Mon, 15 Jul 2019 13:50:48 -0700
Message-id: <[🔎] 877e8jf2dz.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 878sszc9kr.fsf@43-1.org> (Ansgar Burchardt's message of "Mon, 15 Jul 2019 22:43:48 +0200")
References: <[🔎] 87bly2nwcf.fsf@iris.silentflame.com> <[🔎] 18ECEC09-EF0B-439E-A329-6739C3572A0C@kitterman.com> <[🔎] 877e8nbuu5.fsf@zephyr.silentflame.com> <[🔎] 87ims3fc0d.fsf@hope.eyrie.org> <[🔎] 87sgr7qgbv.fsf@43-1.org> <[🔎] 87d0ibf5av.fsf@hope.eyrie.org> <[🔎] 878sszc9kr.fsf@43-1.org>

Ansgar Burchardt <ansgar@debian.org> writes:

> SHA-1 isn't going to get stronger in the future.  The TLS world has
> already moved on, OpenPGP is still in the slow process to move on,
> Release/Packages stopped using it[1], there is no reason to continue
> using it.

Well, the reason to continue using it is that Git uses it and we use Git,
and it may simplify the workflow.

You're not wrong, of course, but preimage attacks are very hard.  MD5 is
still probably robust against preimage attacks, let alone SHA-1.  By all
means, let's future-proof as much as possible, but I'm not sure worrying
about SHA-1 preimage resistance is the most important design principle in
this case.  At some point, Git itself will switch away from SHA-1, and we
can then obviously follow.

That said, there's enough custom logic going on here that it may be easy
to add something that you describe, in which case, great.

> The client tool could possibly also just create the .dsc and .changes,
> except for hashes of the compressed files, and the web service just
> recreate the tarball and compress them.

I think experience with pristine-tar indicates that recreating tarballs is
unfortunately not trivial.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: git & Debian packaging sprint report
  - From: Andrej Shadura <andrew@shadura.me>
- Re: git & Debian packaging sprint report
  - From: Ansgar Burchardt <ansgar@debian.org>
- Re: git & Debian packaging sprint report
  - From: Scott Kitterman <debian@kitterman.com>
- Re: git & Debian packaging sprint report
  - From: Peter Wienemann <fossdev@posteo.de>

References:
- git & Debian packaging sprint report
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: git & Debian packaging sprint report
  - From: Scott Kitterman <debian@kitterman.com>
- Re: git & Debian packaging sprint report
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: git & Debian packaging sprint report
  - From: Russ Allbery <rra@debian.org>
- Re: git & Debian packaging sprint report
  - From: Ansgar Burchardt <ansgar@debian.org>
- Re: git & Debian packaging sprint report
  - From: Russ Allbery <rra@debian.org>
- Re: git & Debian packaging sprint report
  - From: Ansgar Burchardt <ansgar@debian.org>

Prev by Date: Re: git & Debian packaging sprint report
Next by Date: Re: git & Debian packaging sprint report
Previous by thread: Re: git & Debian packaging sprint report
Next by thread: Re: git & Debian packaging sprint report
Index(es):
- Date
- Thread