Hi David, I have tested the patch. It is working. See my comments in the text. David Kalnischkies wrote: > Hi Andreas Miller, > > 2010/4/4 Andreas Miller <andreas.miller@sec-xtreme.com>: >> the hash value of apt-get with print-uris depends on the hash-algorithms used in the Packages-Files. > > Yes it does and it does so since at least 0.7.7 - or in other words > since the 23. Oct 2007 (The acquire method uses always the strongest > hash available). > I think the strongest hash value should be the default used in the Debian package. I.e. a file /etc/apt/apt.conf.d/02hashlevel should block lower hashes in a vanilla installation of an operating system. A user should be able to use a lower hash level only when necessary and available. > >> In the documentation (man-page) no prefix of the hash-algorithm is mentioned and no option to select the wanted hash >> algorithm can be found. > I don't know what you mean with prefix here, but this MD5Sum: or similar is > intended to indicate which hashmethod is used for the hash. > Yes, this method is working fine. > Attached is a patch which can be used to force the usage of a specific > hashmethod. apt-get will use this in --print-uris commands to force md5sum > if the user hasn't forced another method already. > Is that what you need/request? Yes. I hope this option is forcing the hash not only when --print-uris is active, but when the hash values are validated during the installation of the package. > > > Best regards / Mit freundlichen Grüßen, > > David Kalnischkies Best regards Andreas Miller
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature