On 21 February 2011 15:39, Joey Hess jo...@debian.org wrote:
Joerg Jaspert wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
cowbuilder --create
On 24 February 2011 11:29, Luca Niccoli lultimou...@gmail.com wrote:
Did Packages.diff/Index use to contain an MD5sum? (it doesn't as of now)
Or is this some unrelated breakage?
Mmm, if worked using ftp.debian.org, so it was a mirror problem I guess.
Aptitude and apt didn't have any problems
On 02/22/2011 07:37 PM, Joerg Jaspert wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
Right. For now I undo this (with next dinstall run), until
Hi,
On Dienstag, 22. Februar 2011, Joerg Jaspert wrote:
- lenny is gone and the tools are fixed in squeeze with a point
update (provided the SRMs approve such updates, but I *hope* so).
Do I understand correctly that you again plan to break squeeze, this time for
those who then havent
On 2011-02-23, Holger Levsen hol...@layer-acht.org wrote:
- wheezy is released. (This is the option I dont really favor, takes
ages :) )
I actually prefer this very much over more random breakage in which is
supposed to be stable. 2 years aint that long.
Seconded. If it would've been
Hi,
On Montag, 21. Februar 2011, Joerg Jaspert wrote:
Yep. debmirror, reprepro, debootstrap and cdebootstrap seem to be the
tools that can't deal with this.
fai-mirror came to my mind. And probably older dak setups as well?
The latter two are serious enough to
keep the change away from
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
Right. For now I undo this (with next dinstall run), until either one of
the following happens:
- lenny
Joerg Jaspert jo...@debian.org writes:
Right. For now I undo this (with next dinstall run), until either one of
the following happens:
- lenny is gone and the tools are fixed in squeeze with a point
update (provided the SRMs approve such updates, but I *hope* so).
Until today we
Russ Allbery wrote:
Joerg Jaspert jo...@debian.org writes:
Right. For now I undo this (with next dinstall run), until either one of
the following happens:
- lenny is gone and the tools are fixed in squeeze with a point
update (provided the SRMs approve such updates, but I *hope*
On Tue, 22 Feb 2011, Joey Hess wrote:
Russ Allbery wrote:
Joerg Jaspert jo...@debian.org writes:
Right. For now I undo this (with next dinstall run), until either one of
the following happens:
- lenny is gone and the tools are fixed in squeeze with a point
update (provided
Joerg Jaspert wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
When will that affect Release files for stable? Next point release?
Because that
On Sun, Feb 20, 2011 at 07:03:11PM +0100, Joerg Jaspert wrote:
I additionally opened a bug with apt to add support for SHA512SUM, so
we can start using them. As soon as that is possible I intend to drop
SHA256 and end up with SHA1/SHA512 only.
Unfortunately, the algorithm used for the GnuPG
On 2011-02-21, Joey Hess jo...@debian.org wrote:
Joerg Jaspert wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
When will that affect Release files
* Joerg Jaspert:
I additionally opened a bug with apt to add support for SHA512SUM, so
we can start using them. As soon as that is possible I intend to drop
SHA256 and end up with SHA1/SHA512 only.
Please don't. I have more faith in SHA-256 than SHA-512.
--
To UNSUBSCRIBE, email to
On Mon, 21 Feb 2011 18:55:13 +0100, Florian Weimer wrote:
* Joerg Jaspert:
I additionally opened a bug with apt to add support for SHA512SUM, so
we can start using them. As soon as that is possible I intend to drop
SHA256 and end up with SHA1/SHA512 only.
Please don't. I have more
On Mon, Feb 21, 2011 at 01:05:02PM -0500, Michael Gilbert wrote:
What indications are there that SHA-512 is weak?
It might be worth approaching from a pragmatic perspective... why
generate SHA-512 checksums when you're only going to be signing a
SHA-256 digest of that list (that is unless you
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
When will that affect Release files for stable? Next point release?
Because that unfortunatly completly
On 12398 March 1977, Joey Hess wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
When will that affect Release files for stable? Next point release?
I additionally opened a bug with apt to add support for SHA512SUM, so
we can start using them. As soon as that is possible I intend to drop
SHA256 and end up with SHA1/SHA512 only.
Unfortunately, the algorithm used for the GnuPG signatures (both in
InRelease and Release.gpg) is SHA-1.
I additionally opened a bug with apt to add support for SHA512SUM, so
we can start using them. As soon as that is possible I intend to drop
SHA256 and end up with SHA1/SHA512 only.
Please don't. I have more faith in SHA-256 than SHA-512.
Uhh, fine - why?
--
bye, Joerg
Well, it's 1 a.m.
It might be worth approaching from a pragmatic perspective... why
generate SHA-512 checksums when you're only going to be signing a
SHA-256 digest of that list (that is unless you want to alienate
users of OpenPGP-compliant tools which don't implement optional
algorithms). Is it because you
On 2011-02-21, Joerg Jaspert jo...@debian.org wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
When will that affect Release files for stable? Next
On Mon, 2011-02-21 at 20:58 +0100, Joerg Jaspert wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
When will that affect Release files for stable?
* Joerg Jaspert:
I additionally opened a bug with apt to add support for SHA512SUM, so
we can start using them. As soon as that is possible I intend to drop
SHA256 and end up with SHA1/SHA512 only.
Please don't. I have more faith in SHA-256 than SHA-512.
Uhh, fine - why?
I think this
On Mon, Feb 21, 2011 at 09:13:51PM +0100, Joerg Jaspert wrote:
Care to make a point for the gpg stuff around it within bug
#612657?
Gladly! Restating and Cc'ing...
While I agree that moving away from SHA-1 is necessary, SHA-512 is
not part of the compatibility set according to the gpg(1)
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
When will that affect Release files for stable? Next point release?
Because that unfortunatly
I additionally opened a bug with apt to add support for SHA512SUM, so
we can start using them. As soon as that is possible I intend to drop
SHA256 and end up with SHA1/SHA512 only.
Please don't. I have more faith in SHA-256 than SHA-512.
Uhh, fine - why?
I think this question is a bit rude
Joerg Jaspert wrote:
Yep. debmirror, reprepro, debootstrap and cdebootstrap seem to be the
tools that can't deal with this. The latter two are serious enough to
keep the change away from oldstable forever, and stable at least until
after next point release, should they get updated there.
It's
On 2011-02-21, Joey Hess jo...@debian.org wrote:
--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Joerg Jaspert wrote:
Yep. debmirror, reprepro, debootstrap and cdebootstrap seem to be the
tools that
#include hallo.h
* Joey Hess [Mon, Feb 21 2011, 05:32:00PM]:
Joerg Jaspert wrote:
Yep. debmirror, reprepro, debootstrap and cdebootstrap seem to be the
tools that can't deal with this. The latter two are serious enough to
keep the change away from oldstable forever, and stable at least
On 02/21/2011 09:05 PM, Joerg Jaspert wrote:
On 12398 March 1977, Joey Hess wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
When will that affect
Also, it seems like the Releases file is already including sha1 and
sha256 for all the d-i files.
Nope. Those Release files in debian-installer subdir are just stubs and
don't contain checksum information. And there was nothing for
installer-$ARCH subdirs and the image files therein. Instead,
On Mon, Feb 21, 2011 at 3:05 PM, Joerg Jaspert wrote:
On 12398 March 1977, Joey Hess wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
When will that
33 matches
Mail list logo
