Re: bug 887830 and 887831
Hi, i wrote: > > jigdo-lite could now make automatic use of the *SUMS via the according > > *sum programs. Steve McIntyre wrote: > That's a change I don't really want to make - the *SUMS we have are > specific to the Debian layout, and AFAIK we're not the only people > using jigdo. It would immediately create security. Probably more than manual ISO downloading, because people tend to omit verifying. The automatic verifying could be omitted if not gpg and sha512sums are installed and if not SHA512SUMS and SHA512SUMS.sign is found in the .jigdo file's parent directory. But if all this stuff is available, why not use it ? Not to forget, the current version of jigdo-lite can download the .jigdo file and currently does not verify it at all. At least this part should be covered by gpg under control of jigdo-lite. And then why not give .template the same verification treatment as .jigdo ? Of course Debian package jigdo-file should then depend on gpg and sha512sum. > > Or jigdo-lite could expect better .template checksums in the .jigdo file > > and jigdo-file could learn to compute such sums. > > libjte can, so jigdo-file could learn from there. > That makes much more sense, yes. As/when/if I find the time, I'll > fight with the C++ in jigdo-file to look for better checksums. As said, this cannot verify the .jigdo file (unless it gets signed non-detached by gpg). Elsewise: The SHA-512 stuff could be taken from libjte. The .jigdo file already has SHA-512 for the ISO image: # Image Hex SHA512Sum 27e41f13ce0f71e0fc503da41f3afa87285e0fc2e8ffb8d7ff4f572e26451dafd1a6f220c9256731d451400893437b0dfc17534c441f2a29a81130c59f790a50 but not for .template. jigdo-lite would have to hand the SHA-512 of .template to jigdo-file, instead of the MD5 as is done currently. jigdo-file would need a verification command that mimics sha512sum. libjte seems prepared for more .template checksums. Only MD5 is enabled by default. Compare checksum_algo_iso and checksum_algo_tmpl at https://sources.debian.org/src/jigit/1.20-2/libjte/libjte.c/#L100 xorriso calls libjte_set_checksum_template() with the argument of xorrisofs option -checksum_algorithm_template. In debian-9.3.0-i386-netinst.iso/.disk/mkisofs there is -checksum_algorithm_iso md5,sha1,sha256,sha512 but no -checksum_algorithm_template. So, to my untested theory, it should suffice to use in debian-cd -checksum_algorithm_template md5,sha1,sha256,sha512 In live-wrapper it would be -jigdo checksum_template md5,sha1,sha256,sha512 (but debian-live-9.3.0-amd64-xfce.iso/.disk/mkisofs shows no -jigdo commands.) I am a bit brain damaged today and maybe in the next days. When i am in better shape i will modify xorriso's Jigdo production regression test to see whether the production part is really that easy. Have a nice day :) Thomas
Re: bug 887830, was: Joliet name length in amd64 netinst versus DVD-2
On Mon, Feb 12, 2018 at 05:29:45PM +0100, Thomas Schmitt wrote: > >Now the next weakest point in Jigdo download is > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887831 > "jigdo-file: Jigdo .template file and resulting ISO are only verified by MD5" > >jigdo-lite after fix of bug 865864 downloads the .template if it yet >missing in the local directory. Verification is done by line >"Template-MD5Sum" of the .jigdo file, not by *SUMS. > >jigdo-lite could now make automatic use of the *SUMS via the according >*sum programs. That's a change I don't really want to make - the *SUMS we have are specific to the Debian layout, and AFAIK we're not the only people using jigdo. >Or jigdo-lite could expect better .template checksums in the .jigdo file >and jigdo-file could learn to compute such sums. >libjte can, so jigdo-file could learn from there. That makes much more sense, yes. As/when/if I find the time, I'll fight with the C++ in jigdo-file to look for better checksums. -- Steve McIntyre, Cambridge, UK.st...@einval.com Getting a SCSI chain working is perfectly simple if you remember that there must be exactly three terminations: one on one end of the cable, one on the far end, and the goat, terminated over the SCSI chain with a silver-handled knife whilst burning *black* candles. --- Anthony DeBoer
Re: bug 887830
Hi, i wrote: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887831 > "jigdo-file: Jigdo .template file and resulting ISO are only verified > by MD5" > [...] > jigdo-lite could now make automatic use of the *SUMS via the according > *sum programs. It comes to me that jigdo-lite would first have to make use of a verified SHA512SUMS file in order to verify the .jigdo file before using it. Only after that verification, bug 887831 will be of real importance. Have a nice day :) Thomas
Re: bug 887830, was: Joliet name length in amd64 netinst versus DVD-2
Hi,
i wrote:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887830
> > "debian-cd: *.jigdo files should be listed in the *SUMS files"
Steve McIntyre:
> ACK, it's a fairly simple fix to the debian-cd setup. I've pushed the
> changes and if you check today's daily/weekly builds you'll see that
> the jigdo and template files are listed in the checksums files too!
That's good news. Especially for users of old jigdo-lite who download
the .template files manually because of the old "https" inability
(see fixed bug 865864).
I tested with
https://cdimage.debian.org/mirror/cdimage/weekly-builds/amd64/jigdo-cd/debian-testing-amd64-netinst.{jigdo,template}
MD5, SHA256, and SHA512 match nicely.
-
Now the next weakest point in Jigdo download is
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887831
"jigdo-file: Jigdo .template file and resulting ISO are only verified by MD5"
jigdo-lite after fix of bug 865864 downloads the .template if it yet
missing in the local directory. Verification is done by line
"Template-MD5Sum" of the .jigdo file, not by *SUMS.
jigdo-lite could now make automatic use of the *SUMS via the according
*sum programs.
Or jigdo-lite could expect better .template checksums in the .jigdo file
and jigdo-file could learn to compute such sums.
libjte can, so jigdo-file could learn from there.
Have a nice day :)
Thomas
