2017-01-18 0:14 GMT+01:00 Stuart Prescott <stu...@debian.org>: > Hi Adrian, > >> I want to do a MBF for all packages without a SHA256 checksum field >> in the .dsc [1] - only SHA1 as hash would not be good in stretch. > > I missed two details here: > > * why is this worth going at all > > * why is this important enough for the bugs to be release-critical (which > means, after all: either drop the package or delay the release). > > The hashes inside the .dsc file are not used in Debian once the package has > been accepted by dak.
I do require them in Debian derivatives (Tanglu / PureOS) and .dsc files without the up-to-date signatures are quite a pain to handle. I was already thinking about ways to mitigate this problem without sacrificing security, but to do so would be quite some effort. (Admittedly, updating the Debian packages will be too, but that way we will also filter out unmaintained packages) IMHO the bugs don't need to be RC, but it would be absolutely amazing to have the checksums available in .dsc files too. Which means that this has to be RC at some point (but maybe not directly before the freeze). > * The trustable way of getting the source package is with apt-get source, > when apt verifies the Release signature → hashes → Sources → hashes for each > part of the source package: dsc, orig.tar.gz, diff.gz/diff.tar.xz If you mirror Debian's archive into dak again, this becomes a problem, since dak (for good reason) will not import packages with weak checksums, so re-importing source packages is a challenge. > [...] Cheers, Matthias -- Debian Developer | Freedesktop-Developer I welcome VSRE emails. See http://vsre.info/