Re: [PATCH] dpkg-scanpackages: Add sha512 support
Hi!
On Thu, 2023-06-01 at 19:06:34 +0200, Guillem Jover wrote:
> > ------------------ 原始邮件 ------------------
> > 发件人: "Guillem Jover"<guillem@debian.org>;
> > 发送时间: 2023年6月1日(星期四) 凌晨5:33
> > 收件人: "sweetyfish"<sweetyfish@deepin.org>;
> > 抄送: "debian-dpkg"<debian-dpkg@lists.debian.org>; "lichenggang"<lichenggang@uniontech.com>;
> > 主题: Re: [PATCH] dpkg-scanpackages: Add sha512 support
>
> > Thanks for the patch! Although I've had this implemented with
> > <https://git.hadrons.org/git/debian/dpkg/dpkg.git/commit/?h=pu/sha-512&id=4df34f697309a816f6e137f13296270ea84ed938>
> > for some time. The problem is that this would require first checking
> > that consumers can cope with the new field, and do not reject files
> > containing them (.dsc, .buildinfo, .changes, Packages, Sources, etc).
> > Then at least in Debian checking whether the added fields incur too
> > much bloat, for the potential security benefit they might bring.
> > (Offsetting this by removing fields would probably imply having to
> > bump the format versions for various of the involved files containing
> > these removed files.)
> On Thu, 2023-06-01 at 09:27:09 +0800, 李成刚 wrote:
> > Thank you very much for your work, we use obs
> > (https://openbuildservice.org/) to build the platform, obs uses
> > dpkg-scanpackages to generate warehouses, dpkg-scanpackages does
> > not support sha512, and there are some wrong behaviors when mixed
> > with our other warehouses
>
> As discussed on IRC with sweetyfish, it looks like apt and Ubuntu's
> archive software (via Launchpad.net) at least support SHA512 hashes.
> I see reprepro gained support for them last year. So I assume things
> in general would not break. But if you are seeing breakage somewhere
> that's worth investigating as these should be optional fields that
> would in general only cause failures if they are missing and there are
> only weak ones present.
>
> As mentioned above, and on IRC, adding support for this
> unconditionally would require checking whether DAK (the Debian Archive
> Kit software that manages the Debian archive) does not reject uploads
> using those hashes, and if so adding support for them, and then for
> Debian a discussion would be needed to see whether the potential bloat
> is worth it.
This has been discussed in the past and there didn't seem much
enthusiasm at the time, but then that was 10 years ago:
https://lists.debian.org/debian-devel/2012/10/msg00159.html
https://lists.debian.org/debian-devel/2013/08/msg00033.html
For reference there's also this draft spec that is relevant here:
https://wiki.debian.org/Teams/Dpkg/Spec/ChangesFormat2.0
> If you manage to find the reason for your issues, and that requires
> adding these hashes, then I could see adding support for conditionally
> enabling them, but that might end up not being a trivial change, as
> this would need to be passed down from dpkg-buildpackage to dpkg-source
> and dpkg-genbuildinfo for example, although not an insurmountable one.
After discussion this further on IRC, AFAIUI this was just a request
to add the support simply to use it, apparently nothing was breaking,
I just got that impression from the original mail.
In any case I started to look into untangling this yesterday, and have
some code which would be targeted at 1.22.x.
Thanks,
Guillem
Reply to: