On Tue 2015-06-23 03:31:05 -0400, Jérémy Bobbio wrote: > Some people suggested that we should record a checksum of the `.deb` > installed as a way to unambiguously referring to a specific package. > The main benefit that I can think of is that it would allow to directly > retrieve the file from snapshot.debian.org based on the hash [2].
I like the idea of storing a cryptographically-strong digest of each installed package. I'm no expert on package management, but dpkg does sound to me like the right place to keep this record, for whatever that's worth. > [2]: https://anonscm.debian.org/cgit/mirror/snapshot.debian.org.git/plain/API > URL: /file/<hash> This API is a little weird in that it doesn't specify the hash algorithm. Their examples are all 160-bits, hex-encoded, which makes me suspect that they're using SHA1. While SHA1 isn't completely practically broken yet, it's probably not a good idea to rely on it in situations like this that depend on the digest mechanism's collision-resistance over binary objects. We haven't seen a forced SHA-1 collision in published research yet, but it's just a matter of time (and we don't know what the SHA-1 collision attacks look like in private research). A stronger digest from the SHA2 family (SHA-256 or SHA-512) would be preferable if we're hardcoding the choice of digest in this first implementation. allowing for algorithm agility (hash selection at runtime) is another option, but it seems like extra engineering work. --dkg _______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds