On Thu, Oct 24, 2019 at 09:05:16AM +0200, Thomas Schmitt wrote: >Hi, > >Ansgar wrote: >> > > From looking, I believe it is debian-cd's tools/grab_md5 that is using >> > > the MD5sum from Packages (and Sources) to avoid having to compute all >> > > these checksums itself. > >Steve McIntyre wrote: >> > Well, not just that. It grabs them for use in the jigdo file. The >> > jigdo backend in xorriso (libjte) also checks them as it creates the >> > ISO, for sanity checking on archive/mirror consistency right there. > >The aspect of "archive/mirror consistency" is not what i perceive as >the main purpose of the MD5s. I'd rather characterize them as relation >keys and as transport checksums.
Sure, that's *most* of it. It's *also* checking for potential corruption in the mirror at build time. We used to have a separate slow step in debian-cd for that, then replaced it with the checking inside JTE. We *have* found occasional errors this way over the years. >Not as security precaution. Agreed. [ suggestion to stay with md5 internally ] I *do* want to update things here, and it's not far off done AFAICS. >> > As mentioned in IRC yesterday, we >> > will also need some time to update clients in the field to be able to >> > upgrade safely. > >My proposal would make this update of clients much smoother, because the >old not-so-safe clients would continue to work with new jigdo files. > >I wonder whether it is really that hard for debian-cd to compute the MD5s >on its own, before it runs xorriso. But that loses the mirror-checking feature that I'd like to keep. I'm looking at moving to sha256 now, and this will pull through the whole pipeline. -- Steve McIntyre, Cambridge, UK. [email protected] "Further comment on how I feel about IBM will appear once I've worked out whether they're being malicious or incompetent. Capital letters are forecast." Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
