On Wed, Oct 23, 2019 at 09:29:53PM -0400, Daniel Kahn Gillmor wrote: >On Wed 2019-10-23 16:39:24 +0100, Steve McIntyre wrote: >> On Tue, Oct 22, 2019 at 11:51:56PM +0200, Ansgar wrote: >>> - writing MD5sum in a separate file only used by debian-cd (if present, >>> otherwise debian-cd should fall back to using Packages), or > >Sounds like this is the only option available given the constraints of >deployed systems in the field. > >What parts of debian's internal machinery need to be updated to do such >a thing? > >> I've started a local branch to update jigdo and jigit/libjte to use >> sha256 some time ago, but -ENOTIME. > >Bummer, and i feel for you. > >Perhaps we should officially EOL jigdo now, if no one has time to work >on it.
No, *really* no. It's just bumped up my priority list now. >Obviously, we'd continue supporting deployed legacy systems and give >them a chance (one release cycle?) to switch to something that is >actually maintained, but it is doing them no favors to pretend that a >system they're relying on is getting maintenance when no one has time to >work on it. It's more complicated than this - we *also* use jigdo for: * mirroring of images, both on the mirror network and also for those of us doing release day tests etc. * providing a wider range of images for download without having to store all the data for ISO / BT download (e.g. a full range of DVDs, BD images, etc.) * archiving older releases, again so we don't have to keep *all* the ISOs *ever* >> As mentioned in IRC yesterday, we will also need some time to update >> clients in the field to be able to upgrade safely. That includes >> Windows binaries (yay!)... > >The time to update (or deprecate) deployed clients that depend on md5 >for object integrity was something like 8 years ago when RFC 6151 was >published :( The vast majority of the usage of MD5 here is for (essentially) content-addressable storage. Given the context (with a checksum over the whole image too), this is not such a critical failing. -- Steve McIntyre, Cambridge, UK. st...@einval.com Getting a SCSI chain working is perfectly simple if you remember that there must be exactly three terminations: one on one end of the cable, one on the far end, and the goat, terminated over the SCSI chain with a silver-handled knife whilst burning *black* candles. --- Anthony DeBoer