[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] Enhance checksum support

On Fri, Jan 18, 2008 at 11:38:55PM +1000, Anthony Towns wrote:
> It'd actually be good to be able to break Files in future, so that we're
> forced to verify something other than md5sum. Otherwise there will
> be code that doesn't check it properly, and that will end up being a
> security problem.

Hmm, that might indeed be a good idea (the point to remove the Files
field would be v3 then).

> Having it be:
>   Contents: sha256
>    28ee6a10eb280ede4b19c1b975aff5533016a26de67ba9212d51ffaea020ce34 355 foo
>   Files:
>    4bf7ff17bd9ddf3846d9065b3c594fb4 355 foo
> or similar would be nice and non-redundant, and make it possible to drop

I can see the "nice". But once I want to include more than one checksum
it quickly gets redundant.

So maybe keep the Checksums field and introduce a Contents field that
contains no checksums, but only the size and the name?

  md5 4bf7ff17bd9ddf3846d9065b3c594fb4 foo
  sha256 28ee6a10eb280ede4b19c1b975aff5533016a26de67ba9212d51ffaea020ce34 foo
  355 foo
  4bf7ff17bd9ddf3846d9065b3c594fb4 355 foo

That makes the parsing more robust and eliminates the need to specifiy
the size of a file more than once. If we want we could even declare size
also to be a checksum and include only the filenames in the
Contents field.

Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/

Reply to: