subject:"Bug#1057057\: debian\-policy\: Please make Checksums\-Sha1 optional"

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

2023-11-28 Thread Guillem Jover

Hi!

On Tue, 2023-11-28 at 14:57:10 -0800, Russ Allbery wrote:
> Dimitri John Ledkov  writes:
> > Dak currently requires Checksums-Sha1, but I am happy to facilitate in
> > patching dak to make Checksums-Sha1 optional if this bug report is
> > accepted.
> 
> The field is documented as mandatory precisely because DAK requires it,
> which makes it mandatory for Debian packages.  As soon as DAK doesn't
> require it, I'm happy to make it optional (and indeed it would arguably be
> a bug in Policy if it's optional in the archive but Policy claims it's
> mandatory).

I'd like to drop those from .changes and .dsc (among other things),
but demoting these which are currently marked as required to me implies
a major format version bump. And I don't recall ever demoting required
fields, only promoting fields from optional to required.

For .changes, I've got this among other cleanups that would be nice to
do to the format:

  https://wiki.debian.org/Teams/Dpkg/Spec/ChangesFormat2.0

but there did not seem to be much enthusiasm when I proposed this some
time ago:

  https://lists.debian.org/debian-devel/2016/04/msg00326.html

For .dsc, there's the problem that, very confusingly the Format is used
not for the file format, but for the source format, which I think was
a mistake at the time, but here we are, see the .dsc section at:

  https://wiki.debian.org/Teams/Dpkg/TimeTravelFixes

Thanks,
Guillem

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

2023-11-28 Thread Dimitri John Ledkov

Hi,

On Wed, 29 Nov 2023 at 00:05, Holger Levsen  wrote:
>
> hi,
>
> snapshot.d.o also uses sha1 sums, at least internally, but I'd not
> surprised if also for external verification.

At the moment I am trying to focus on contents of .dsc and .changes
only, not the InReleases Packages etc files.
Does snapshot.d.o peak inside .dsc and .changes files? Does it use
sha1 for "by-hash" like content addressing? My understanding was that
"by-hash" lookups use sha256 only (at least launchpad's implementation
had code for sha1 but it never was in production proper)

-- 
okurrr,

Dimitri

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

2023-11-28 Thread Holger Levsen

hi,

snapshot.d.o also uses sha1 sums, at least internally, but I'd not
surprised if also for external verification. 


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Reporter: You're the first person ever to win two Olympic tennis gold medals.
That's an extraordinary feat, isn't it?
Andy Murray: I think Venus and Serena have won about four each.


signature.asc
Description: PGP signature

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

2023-11-28 Thread Russ Allbery

Dimitri John Ledkov  writes:

> Dak currently requires Checksums-Sha1, but I am happy to facilitate in
> patching dak to make Checksums-Sha1 optional if this bug report is
> accepted.

The field is documented as mandatory precisely because DAK requires it,
which makes it mandatory for Debian packages.  As soon as DAK doesn't
require it, I'm happy to make it optional (and indeed it would arguably be
a bug in Policy if it's optional in the archive but Policy claims it's
mandatory).

-- 
Russ Allbery (r...@debian.org)

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

2023-11-28 Thread Dimitri John Ledkov

Package: debian-policy
Version: 4.6.2.0
Severity: wishlist
Tags: patch

Dear Maintainer,

SHA1 is an obsolete checksum method. For example NIST recommends to
phase out all usage of SHA1 by 2030. Currently it is generated in .dsc
and .changes files and validated. It does not bring any additional
security measures over SHA256 that is already present. Unlike
Files/Md5 it is in fact optional and is trivial to drop.

Please consider making Checksums-Sha1 optional in .dsc and .changes.

All basic tooling handles lack of Checksums-Sha1 gracefully, as they
are already not treated as trusted.

Launchpad accepts uploads without Checksums-Sha1.

Dak currently requires Checksums-Sha1, but I am happy to facilitate in
patching dak to make Checksums-Sha1 optional if this bug report is
accepted.

I have not checked other tools like Open Build Service, Artifactory,
etc.

Example files:

https://ppa.launchpadcontent.net/yolo4k/kernels/ubuntu/pool/main/h/hello/hello_2.10-2ubuntu5.dsc

https://launchpadlibrarian.net/699972411/hello_2.10-2ubuntu5_source.changes

Regards,

Dimitri.
>From 95a090af0ced9c04a79da7c006655388fd41a188 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov 
Date: Tue, 28 Nov 2023 17:00:20 +
Subject: [PATCH] policy: Make Checksums-Sha1 optional

Make Checksums-Sha1 optional as it is redundant compared to Sha256,
and Sha1 usage should be phased out by 2030. Making Checksums-Sha1
optional is relatively easy and backwards compatible with many
tools. dak will require a change to allow uploads without
Checksums-Sha1, prior to releasing policy & dpkg update.

Signed-off-by: Dimitri John Ledkov 
---
 policy/ch-controlfields.rst| 19 +++
 policy/upgrading-checklist.rst |  9 +
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/policy/ch-controlfields.rst b/policy/ch-controlfields.rst
index 2871658f57..d125994b0b 100644
--- a/policy/ch-controlfields.rst
+++ b/policy/ch-controlfields.rst
@@ -243,8 +243,9 @@ is described above, in :ref:`s-controlsyntax`.
 
 -  :ref:`Package-List ` (recommended)
 
--  :ref:`Checksums-Sha1 and Checksums-Sha256 `
-   (mandatory)
+-  :ref:`Checksums-Sha1 ` (optional)
+
+-  :ref:`Checksums-Sha256 ` (mandatory)
 
 -  :ref:`Files ` (mandatory)
 
@@ -297,8 +298,9 @@ The fields in this file are:
 
 -  :ref:`Changes ` (mandatory)
 
--  :ref:`Checksums-Sha1 and Checksums-Sha256 `
-   (mandatory)
+-  :ref:`Checksums-Sha1 ` (optional)
+
+-  :ref:`Checksums-Sha256 ` (mandatory)
 
 -  :ref:`Files ` (mandatory)
 
@@ -1026,10 +1028,11 @@ such as ``<>``.
 ``Checksums-Sha1`` and ``Checksums-Sha256``
 ~~~
 
-These multiline fields contain a list of files with a checksum and size
-for each one. Both ``Checksums-Sha1`` and ``Checksums-Sha256`` have the
-same syntax and differ only in the checksum algorithm used: SHA-1 for
-``Checksums-Sha1`` and SHA-256 for ``Checksums-Sha256``.
+These multiline fields contain a list of files with a checksum and
+size for each one. Both ``Checksums-Sha1`` (optional) and
+``Checksums-Sha256`` (mandatory) have the same syntax and differ only
+in the checksum algorithm used: SHA-1 for ``Checksums-Sha1`` and
+SHA-256 for ``Checksums-Sha256``.
 
 ``Checksums-Sha1`` and ``Checksums-Sha256`` are multiline fields. The
 first line of the field value (the part on the same line as
diff --git a/policy/upgrading-checklist.rst b/policy/upgrading-checklist.rst
index c772b7e178..4cb37cf624 100644
--- a/policy/upgrading-checklist.rst
+++ b/policy/upgrading-checklist.rst
@@ -39,6 +39,15 @@ The sections in this checklist match the values for the
 except in the two anomalous historical cases where normative
 requirements were changed in a minor patch release.
 
+Version 4.6.3
+-
+
+UNRELEASED
+
+
+5.4 & 5.5
+Checksums-Sha1 are now optional.
+
 Version 4.6.2
 -
 
-- 
2.34.1

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

5 matches

Site Navigation

Mail list logo

Footer information