Your message dated Thu, 15 Dec 2016 23:33:02 +0100 with message-id <20161215232925.GA28431@debian.org> and subject line Re: Bug#848279: deprecate InRelease in favor of Release.gpg has caused the Debian Bug report #848279, regarding deprecate InRelease in favor of Release.gpg to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 848279: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848279 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: deprecate InRelease in favor of Release.gpg
- From: Patrick Schleizer <adrelanos@riseup.net>
- Date: Thu, 15 Dec 2016 22:16:00 +0000
- Message-id: <[🔎] daecd148-5001-8099-2d1f-5e3b2c65435f@riseup.net>
Package: apt Severity: wishlist X-Debbugs-CC: whonix-devel@whonix.org In light of CVE-2016-1252... When there is Release.gpg implemented in apt, why not deprecate InRelease?
--- End Message ---
--- Begin Message ---
- To: Patrick Schleizer <adrelanos@riseup.net>, 848279-done@bugs.debian.org
- Subject: Re: Bug#848279: deprecate InRelease in favor of Release.gpg
- From: Julian Andres Klode <jak@debian.org>
- Date: Thu, 15 Dec 2016 23:33:02 +0100
- Message-id: <20161215232925.GA28431@debian.org>
- In-reply-to: <[🔎] daecd148-5001-8099-2d1f-5e3b2c65435f@riseup.net>
- References: <[🔎] daecd148-5001-8099-2d1f-5e3b2c65435f@riseup.net>
On Thu, Dec 15, 2016 at 10:16:00PM +0000, Patrick Schleizer wrote: > Package: apt > Severity: wishlist > X-Debbugs-CC: whonix-devel@whonix.org > > In light of CVE-2016-1252... > > When there is Release.gpg implemented in apt, why not deprecate InRelease? You got that wrong. We deprecated Release.gpg in preference of InRelease: Unfortunately, Release.gpg breaks atomic updates of repositories (because Release and Release.gpg need to be updated at the same time) and thus breaks update runs randomly with hash sum mismatches. So, there's really nothing we can do here. -- Debian Developer - deb.li/jak | jak-linux.org - free software dev | Ubuntu Core Developer | When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to ('inline'). Thank you.
--- End Message ---