Bug#378183: apt: All SHA256 hashes generated/used by APT are wrong
Jakob Bohm <jbj@image.dk> writes:
> To work around the "breaks whole system" issue, the following
> transition plan is proposed:
>
> 1. Before uploading the fixed apt, temporarily reconfigure
> darcs etc. to NOT include SHA256 values in Packages files at
> all (apt-ftparchive has an option to do that).
>
> 2. Upload the fixed apt as a minimal change from the apt
> version in testing, and coordinate with ftpadmin to push it
> quickly through to testing. Yes, this means holding back
> other bug fixes until the change has propagated.
>
> 3. Allow 1-3 weeks for users to upgrade to the fixed apt. Use
> the various announce mailing lists to alert users to the
> urgency of getting rid of apt versions 0.6.44 to 0.6.44.?
> inclusive before the grace period ends!
>
> 4. Turn SHA256 back on in darcs etc. this makes the SHA256
> security available for real. But it also means that the
> archive can no longer be used by the broken 0.6.44 versions
> of apt. So leave behind (on the ftp server, www server etc.)
> a message explaining how users can manually upgrade to a new
> apt version by downloading a .tar file and a detached .gpg
> signature from ftp.debian.org/debian/tools/something . (This
> would be a hand-built tar file containing replacement .so
> files for each of the bad 0.6.44 apt versions and platforms).
>
> For the security breakage, patching apt is the obvious fix.
One could rename the SHA256 field to SHA256v2 (or something) instead
alowing for both new and old apt to work with both new and old
Packages files.
Breaking the format even with a 4 week grace period will result in
users having broken systems. We had such a transition for the
debian-amd64 project (with libc6/base-files depends) and even 6 month
after the transition period user still appeared on the ML unable to
upgrade from before the transition to current. There will always be
stragglers.
MfG
Goswin
Reply to: