On Tue 2015-06-23 03:31:05 -0400, Jérémy Bobbio wrote:

> Some people suggested that we should record a checksum of the `.deb`
> installed as a way to unambiguously referring to a specific package.
> The main benefit that I can think of is that it would allow to directly
> retrieve the file from snapshot.debian.org based on the hash [2].

I like the idea of storing a cryptographically-strong digest of each
installed package.  I'm no expert on package management, but dpkg does
sound to me like the right place to keep this record, for whatever
that's worth.

>  [2]: https://anonscm.debian.org/cgit/mirror/snapshot.debian.org.git/plain/API
>       URL: /file/<hash>

This API is a little weird in that it doesn't specify the hash
algorithm.  Their examples are all 160-bits, hex-encoded, which makes me
suspect that they're using SHA1.  While SHA1 isn't completely
practically broken yet, it's probably not a good idea to rely on it in
situations like this that depend on the digest mechanism's
collision-resistance over binary objects.  We haven't seen a forced
SHA-1 collision in published research yet, but it's just a matter of
time (and we don't know what the SHA-1 collision attacks look like in
private research).

A stronger digest from the SHA2 family (SHA-256 or SHA-512) would be
preferable if we're hardcoding the choice of digest in this first
implementation.  allowing for algorithm agility (hash selection at
runtime) is another option, but it seems like extra engineering work.


Reproducible-builds mailing list

Reply via email to