On 2019-10-22 23:03:49, Thomas Schmitt wrote:
> Hi,
>
> Antoine Beaupré wrote:
>> Severity set to 'grave' from 'normal'
>
> This is really overdone.
>
> See jigdo as a peculiar way of downloading the ISO with a MD5 check
> where e.g. wget has none at all.
> And as said, for now jigdo seems indispensible for the fat ISO sets.
>
>
>> If the ISO image generation is broken, it should be fixed.
>
> My bug report does not say that ISO production is broken or that jigdo
> is the reason for any of the checksums in the package management.
> I doubt both theories.
I mean "broken" as in "DVD as are not available as normal ISOs over HTTP
or bittorrent but only jigdo".
jigdo is the reason MD5sums are still in the Packages files, according
to ftp-masters. It's not a theory I just came up with just for kicks.
>> In the meantime, I think it's perfectly acceptable to remove MD5sums
>> from the archive, at the cost of breaking jigdo.
>
> I agree to this plan, if you afterwards verify that debian-cd still can
> produce a pair of .jigdo and .template which jigdo-lite then can use
> to create the identical ISO by help of a package mirror.
In my experience, jigdo never worked, so I don't expect I will be able
to do this after the removal, nor before. I have long given up on doing
anything with jigdo.
[...]
>> Or, to put it another way, it's completely unacceptable that jigdo uses
>> MD5 to authenticate checksums,
>
> It does so for cross-table key matching, where MD5 suffices by all means
> of hash table theory.
To quote wikipedia:
> The CMU Software Engineering Institute considers MD5 essentially
> "cryptographically broken and unsuitable for further use"
I would consider using MD5 in any software a serious engineering
mistake, in any case. It might still be useful as a hash table
component, but I would suspect it is still a mistake.
[...]
It's really unfortunate that this bug has been downgraded. I was hoping
to take this as an opportunity to remove jigdo from our workflows, but I
guess we will need to tackle this (namely that jigdo is completely
abandoned and broken) head on, in separate bug reports.
The problem is *every* bug report (e.g. #772110) that tries to document
serious issues about jigdo *all* get downgraded to "normal", saying
"this is not a problem".
I think this is an unfair way to treat your users. Sure, it will keep
jigdo in Debian forever, but it will give a false sense of security (in
case of this bug) and reliability (in the case of #772110), which will
hurt Debian's adoption.
Is anyone still seriously thinking that jigdo is a reliable and useful
way to download Debian nowadays?
A.
--
A lot of people never use their initiative because no-one told them to.
- Banksy
