Re: Debian sources have limited file integrity
Whether your points are valid or not, the way to go is to file a bug for
each separate issue[1]. Because different teams might be involved in
solving each bug.
You will probably need to file them against a system pseudo-package[2].
Choose wisely, those are the ones that will get to see the bug first.
Also, while trying to file it, check if somebody else has not brought up
the same issue before. Anyway, that's all explained in[3].
Thanks for trying to make Debian better.
[1] https://www.debian.org/Bugs/
[2] https://www.debian.org/Bugs/pseudo-packages
[3] https://www.debian.org/Bugs/Reporting
On 13/11/16 13:55, Luke wrote:
> On 11/12/2016 09:39 PM, Luke wrote:
>> Hello,
>> Many downstream projects are using your source files directly from your
>> FTP and packaging. This presents a problem.
>>
>> 1) Navigate to https://ftp.de.debian.org/debian/pool/main/
>> 2) Click on ANY folder/subfolder of a popular project.
>> 3) The only checksum can be found in the .dsc file.
>>
>> While having the .dsc file is better than nothing, it does not allow
>> downstream to run GPG verification against the source files themselves.
>> Additionally, .dsc files only have SHA256 as the strongest checksum.
>> SHA1 and MD5 have been considered weak/broken for some time, per
>> Debian's own documentation.
>>
>> Please consider implementing a system similar to kernel.org's -
>> https://mirrors.kernel.org/sourceware/lvm2/releases/
>>
>> In this scenario, each source tarball is signed with GPG, and a
>> SHA512SUM is included for the entire directory as well. Downstream can
>> then verify the GPG signature and the checksum easily.
>>
>> Thank you for your time and concern.
>>
>>
>> Sincerely,
>> Luke
>> Parabola GNU/Linux-libre Packager
>>
>>
> Hello,
> I forgot to mention - HTTPS is also not properly functioning on
> ftp.debian.org. Please consider adding HTTPS support as soon as possible.
>
>
> Thank you.
>
> Sincerely,
> Luke
> Paraboal GNU/Linux-libre Packager
>
>
Reply to: