The proposal to merge ~xnox/launchpad:only-sha256 into launchpad:master has been updated.
Commit message changed to: archivepublisher: consistently use only sha256 for apt archives Unused hashes are redundant, and are now cauing interop problems with overly strict programs and humans. Summary of changes: * Remove md5, sha1 from Release, Packages, Sources metadata in primary & ppa publisher. * Change i18n Index from SHA1 to SHA256. Uncertain if actually used by clients. * Remove sha512 from Packages & Sources in primary publisher only, do not exist anywhere else. (Also see LP: #1536602). Also it is noticably slow even on most modern hardware for rudimentary repository sizes. * Ensure and enforce consistent publishing by both primary & ppa publisher, irrespective of host release. Note that overall security is provided by rsa-pkcs1-v1_5 + sha512 signatures in current primary and ppa publishers, independent of the hash changes in this commit. Minimum required apt for Launchpad host deployment is 1.1 (Xenial) due to `--no-sha512` option usage. Minimum required apt for clients is 0.7.7 (Hardy), subject to compatible signing. Minimum required python-apt client patched for verification bypass CVE-2019-15795 https://security-tracker.debian.org/tracker/CVE-2019-15795 This implementation is intentionally global for all suites in both primary and ppa publishers. Fixes LP: #1883271 For more details, see: https://code.launchpad.net/~xnox/launchpad/+git/launchpad/+merge/452749 -- Your team Launchpad code reviewers is requested to review the proposed merge of ~xnox/launchpad:only-sha256 into launchpad:master. _______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp
