Bug#576420: apt-get --print-uris hash not always MD5
Hello Andreas,
Am 17. April 2010 07:35:47 UTC+2 schrieb Andreas.Miller
<Andreas.Miller@sec-xtreme.com>:
> I have tested the patch. It is working.
Thanks. :)
>> 2010/4/4 Andreas Miller <andreas.miller@sec-xtreme.com>:
>>> the hash value of apt-get with print-uris depends on the
> hash-algorithms used in the Packages-Files.
>>
>> Yes it does and it does so since at least 0.7.7 - or in other words
>> since the 23. Oct 2007 (The acquire method uses always the strongest
>> hash available).
>>
>
> I think the strongest hash value should be the default used in the
> Debian package. I.e. a file /etc/apt/apt.conf.d/02hashlevel should block
> lower hashes in a vanilla installation of an operating system.
> A user should be able to use a lower hash level only when necessary and
> available.
As said the method will use the strongest available in the Packages files -
currently supported are sha256, sha1 and md5sum. All these checksums
are per default generated by the archive creaters like our apt-ftparchive.
So in practice all downloaded meta information files are check by sha256.
>> Attached is a patch which can be used to force the usage of a specific
>> hashmethod. apt-get will use this in --print-uris commands to force md5sum
>> if the user hasn't forced another method already.
>> Is that what you need/request?
>
> Yes. I hope this option is forcing the hash not only when --print-uris
> is active, but when the hash values are validated during the
> installation of the package.
Yes, this force flag can be used to use a specific one also for the "real"
validation - it is just not set by default and therefore the method will use
the strongest available hashmethod. Only in invocations with --print-uris
the default is changed to "md5sum".
Best regards / Mit freundlichen Grüßen,
David Kalnischkies
Reply to: