[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] General Resolution to deploy tag2upload

Hi,

On Wed, 2024-06-12 at 09:18 +0200, Gard Spreemann wrote:
> Russ Allbery <rra@debian.org> writes:
> > Ansgar 🙀 <ansgar@43-1.org> writes:
> > > In addition it reintroduces trust in weak cryptographic hashes which
> > > effort was spent to remove.
> > 
> > I think this concern is significantly overblown and attempted to explain
> > precisely why I believe that in my security review.  I'll also point out
> > that using SHA-256 hashes in *.dsc files does not somehow mean that Debian
> > is no longer trusting SHA-1 hashes, given that most Debian development is
> > done in Git using SHA-1 hashes.
> > 
> > I think we're all agreed that switching Git to SHA-256 hashes would be
> > great and, once that work is done, we should take advantage of it,
> > including in tag2upload.
> 
> I have not more than skimmed the architecture, so forgive me if this
> makes no sense: Could this fear (whether overblown or not) not be
> alleviated by including in the tag2upload structured metadata a SHA-256
> hash of all the files in the given commit?

Yes, that was suggested as a compromise in the past, but tag2upload
upstream was not interested in having any changes.

Ansgar
Reply to: