Hello Andreas, Am 17. April 2010 07:35:47 UTC+2 schrieb Andreas.Miller <andreas.mil...@sec-xtreme.com>: > I have tested the patch. It is working. Thanks. :)
>> 2010/4/4 Andreas Miller <andreas.mil...@sec-xtreme.com>: >>> the hash value of apt-get with print-uris depends on the > hash-algorithms used in the Packages-Files. >> >> Yes it does and it does so since at least 0.7.7 - or in other words >> since the 23. Oct 2007 (The acquire method uses always the strongest >> hash available). >> > > I think the strongest hash value should be the default used in the > Debian package. I.e. a file /etc/apt/apt.conf.d/02hashlevel should block > lower hashes in a vanilla installation of an operating system. > A user should be able to use a lower hash level only when necessary and > available. As said the method will use the strongest available in the Packages files - currently supported are sha256, sha1 and md5sum. All these checksums are per default generated by the archive creaters like our apt-ftparchive. So in practice all downloaded meta information files are check by sha256. >> Attached is a patch which can be used to force the usage of a specific >> hashmethod. apt-get will use this in --print-uris commands to force md5sum >> if the user hasn't forced another method already. >> Is that what you need/request? > > Yes. I hope this option is forcing the hash not only when --print-uris > is active, but when the hash values are validated during the > installation of the package. Yes, this force flag can be used to use a specific one also for the "real" validation - it is just not set by default and therefore the method will use the strongest available hashmethod. Only in invocations with --print-uris the default is changed to "md5sum". Best regards / Mit freundlichen Grüßen, David Kalnischkies -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
