[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#478295: Sha1 and sha256 in .changes and .dsc file

Thijs Kinkhorst <thijs@debian.org> writes:
> On sneon 12 Juny 2010, Russ Allbery wrote:

>> +         <p>
>> +           These fields contain a list of files with a checksum and size
>> +           for each one.  Both <tt>Checksums-Sha1</tt>
>> +           and <tt>Checksums-Sha256</tt> have the same syntax and differ
>> +           only in the checksum algorithm used: SHA-1
>> +           for <tt>Checksums-Sha1</tt> and SHA-256
>> +           for <tt>Checksums-Sha256</tt>.
>> +         </p>

> What's the use of having both fields at the same time? I can see the
> desire to aid compatibility by leaving the Files: section in, but adding
> two new Checksums fields at the same time seems superfluous to
> me. What's the advantage of having both over just adding
> Checksums-Sha256 and forgetting about Checksums-Sha1?

That's probably best addressed to the dpkg maintainers, since we're mostly
documenting work that was already done and bringing Policy up to date with
what the tools do.  The one reason that I can think of off-hand is that if
one is protecting against theoretical collision or preimage attacks, it's
much harder to generate collisions simultaneously in two different hash
functions than in just one.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: