Re: please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)

2017-01-23 Thread Guus Sliepen
On Sun, Jan 22, 2017 at 12:34:11PM +0100, Bernd Zeimetz wrote: > afaik people are criticizing that there are still (only) md5sum files in > /var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make > sense to replace them. > (yes, dpkg is not an IDS, but better than nothing...). I'm

Re: please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)

2017-01-22 Thread Guillem Jover
On Sun, 2017-01-22 at 13:54:26 +0100, Philipp Kern wrote: > On 22.01.2017 12:34, Bernd Zeimetz wrote: > > afaik people are criticizing that there are still (only) md5sum files in > > /var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make > > sense to replace them. > > (yes, dpkg is

Re: please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)

2017-01-22 Thread Philipp Kern
On 22.01.2017 12:34, Bernd Zeimetz wrote: > afaik people are criticizing that there are still (only) md5sum files in > /var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make > sense to replace them. > (yes, dpkg is not an IDS, but better than nothing...). Originally the thread was

Re: please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)

2017-01-22 Thread Bernd Zeimetz
On 01/22/2017 10:49 AM, Philipp Kern wrote: > On 22.01.2017 00:17, Holger Levsen wrote: >> We really ought to do the same. I'm all for keeping sha1+sha256, but >> please let's *completely* drop md5sums for buster. > > We already dropped SHA1, FWIW, so it's md5+sha256. And again, the Oracle >

Re: please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)

2017-01-22 Thread Philipp Kern
On 22.01.2017 00:17, Holger Levsen wrote: > We really ought to do the same. I'm all for keeping sha1+sha256, but > please let's *completely* drop md5sums for buster. We already dropped SHA1, FWIW, so it's md5+sha256. And again, the Oracle announcement was about MD5-only, so isn't relevant to the

please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)

2017-01-21 Thread Holger Levsen
Hi, I'm sorry but I want to amend myself… On Sat, Jan 21, 2017 at 05:34:41PM +, Holger Levsen wrote: > > > (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long > > > do we want to be joked about?) > > I'm not sure why you say this. More than one hash is strictly better

Re: no-strong-digests-in-dsc MBF

2017-01-21 Thread Holger Levsen
On Sat, Jan 21, 2017 at 06:31:44PM +0100, Philipp Kern wrote: > AIUI we never exported the .changes files either, which would have > allowed an independent party to check if the files inserted came from a > developer or not. yeah, I consider this another bug. > > (and btw, let's drop md5sums

Re: no-strong-digests-in-dsc MBF

2017-01-21 Thread Philipp Kern
On 19.01.2017 14:27, Holger Levsen wrote: > On Wed, Jan 18, 2017 at 10:14:46AM +1100, Stuart Prescott wrote: >> The hashes inside the .dsc file are not used in Debian once the package has >> been accepted by dak. >> >> * The trustable way of getting the source package is with apt-get source, >>

Re: no-strong-digests-in-dsc MBF

2017-01-19 Thread Holger Levsen
On Wed, Jan 18, 2017 at 10:14:46AM +1100, Stuart Prescott wrote: > The hashes inside the .dsc file are not used in Debian once the package has > been accepted by dak. > > * The trustable way of getting the source package is with apt-get source, > when apt verifies the Release signature →

Re: no-strong-digests-in-dsc MBF

2017-01-17 Thread Ian Jackson
Stuart Prescott writes ("Re: no-strong-digests-in-dsc MBF"): > Given the hashes aren't used within Debian and can't be used reliably by > external parties either, it doesn't feel like a good use of anyone's time. dgit uses the hashes in the .dsc, both during `dgit fetch' and dur

Re: no-strong-digests-in-dsc MBF

2017-01-17 Thread Stuart Prescott
Hi Matthias, On Wed, 18 Jan 2017 00:31:44 Matthias Klumpp wrote: > > The hashes inside the .dsc file are not used in Debian once the package > > has > > been accepted by dak. > > I do require them in Debian derivatives (Tanglu / PureOS) and .dsc > files without the up-to-date signatures are

Re: no-strong-digests-in-dsc MBF

2017-01-17 Thread Matthias Klumpp
2017-01-18 0:14 GMT+01:00 Stuart Prescott : > Hi Adrian, > >> I want to do a MBF for all packages without a SHA256 checksum field >> in the .dsc [1] - only SHA1 as hash would not be good in stretch. > > I missed two details here: > > * why is this worth going at all > > * why is

Re: no-strong-digests-in-dsc MBF

2017-01-17 Thread Stuart Prescott
Hi Adrian, > I want to do a MBF for all packages without a SHA256 checksum field > in the .dsc [1] - only SHA1 as hash would not be good in stretch. I missed two details here: * why is this worth going at all * why is this important enough for the bugs to be release-critical (which means,

Re: no-strong-digests-in-dsc MBF

2017-01-17 Thread Ansgar Burchardt
Adrian Bunk writes: > I want to do a MBF for all packages without a SHA256 checksum field > in the .dsc [1] - only SHA1 as hash would not be good in stretch. Why? The Sources index should have a stronger hash either way. If you care about stronger hashes in the .dsc itself, wouldn't the .dsc

no-strong-digests-in-dsc MBF

2017-01-17 Thread Adrian Bunk
Hi, I want to do a MBF for all packages without a SHA256 checksum field in the .dsc [1] - only SHA1 as hash would not be good in stretch. This is quite easy to fix in a package - all that is required is a sourceful upload (but a binNMU would not be sufficient). The steps will be: 1. QA