On 24 February 2011 11:29, Luca Niccoli wrote:
> Did Packages.diff/Index use to contain an MD5sum? (it doesn't as of now)
> Or is this some unrelated breakage?
Mmm, if worked using ftp.debian.org, so it was a mirror problem I guess.
Aptitude and apt didn't have any problems with it though.
Sorr
On 21 February 2011 15:39, Joey Hess wrote:
> Joerg Jaspert wrote:
>> until today our Release files included 3 Hashes for all their entries:
>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
>> MD5SUM in *all* newly generated Release files.
cowbuilder --create fails with:
W
On 2011-02-23, Holger Levsen wrote:
>> - wheezy is released. (This is the option I dont really favor, takes
>> ages :) )
> I actually prefer this very much over more random breakage in which is
> supposed to be stable. 2 years aint that long.
Seconded. If it would've been urgent it should'
Hi,
On Dienstag, 22. Februar 2011, Joerg Jaspert wrote:
> - lenny is gone and the tools are fixed in squeeze with a point
> update (provided the SRMs approve such updates, but I *hope* so).
Do I understand correctly that you again plan to break squeeze, this time for
those who then havent
On 02/22/2011 07:37 PM, Joerg Jaspert wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
Right. For now I undo this (with next dinstall run), until eithe
On Tue, 22 Feb 2011, Joey Hess wrote:
> Russ Allbery wrote:
> > Joerg Jaspert writes:
> > > Right. For now I undo this (with next dinstall run), until either one of
> > > the following happens:
> >
> > > - lenny is gone and the tools are fixed in squeeze with a point
> > > update (provided
Russ Allbery wrote:
> Joerg Jaspert writes:
>
> > Right. For now I undo this (with next dinstall run), until either one of
> > the following happens:
>
> > - lenny is gone and the tools are fixed in squeeze with a point
> > update (provided the SRMs approve such updates, but I *hope* so).
Joerg Jaspert writes:
> Right. For now I undo this (with next dinstall run), until either one of
> the following happens:
> - lenny is gone and the tools are fixed in squeeze with a point
> update (provided the SRMs approve such updates, but I *hope* so).
> Until today we discovered:
>
> until today our Release files included 3 Hashes for all their entries:
> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
> MD5SUM in *all* newly generated Release files.
Right. For now I undo this (with next dinstall run), until either one of
the following happens:
- lenny
Hi,
On Montag, 21. Februar 2011, Joerg Jaspert wrote:
> Yep. debmirror, reprepro, debootstrap and cdebootstrap seem to be the
> tools that can't deal with this.
fai-mirror came to my mind. And probably older dak setups as well?
> The latter two are serious enough to
> keep the change away from
On Mon, Feb 21, 2011 at 3:05 PM, Joerg Jaspert wrote:
> On 12398 March 1977, Joey Hess wrote:
>
>>> until today our Release files included 3 Hashes for all their entries:
>>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
>>> MD5SUM in *all* newly generated Release files.
>> Wh
>> Also, it seems like the Releases file is already including sha1 and
>> sha256 for all the d-i files.
> Nope. Those Release files in debian-installer subdir are just stubs and
> don't contain checksum information. And there was nothing for
> installer-$ARCH subdirs and the image files therein. In
On 02/21/2011 09:05 PM, Joerg Jaspert wrote:
> On 12398 March 1977, Joey Hess wrote:
>
>>> until today our Release files included 3 Hashes for all their entries:
>>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
>>> MD5SUM in *all* newly generated Release files.
>> When will
#include
* Joey Hess [Mon, Feb 21 2011, 05:32:00PM]:
> Joerg Jaspert wrote:
> > Yep. debmirror, reprepro, debootstrap and cdebootstrap seem to be the
> > tools that can't deal with this. The latter two are serious enough to
> > keep the change away from oldstable forever, and stable at least until
On 2011-02-21, Joey Hess wrote:
>
> --qMm9M+Fa2AknHoGS
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> Joerg Jaspert wrote:
>> Yep. debmirror, reprepro, debootstrap and cdebootstrap seem to be the
>> tools that can't deal
Joerg Jaspert wrote:
> Yep. debmirror, reprepro, debootstrap and cdebootstrap seem to be the
> tools that can't deal with this. The latter two are serious enough to
> keep the change away from oldstable forever, and stable at least until
> after next point release, should they get updated there.
I
I additionally opened a bug with apt to add support for SHA512SUM, so
we can start using them. As soon as that is possible I intend to drop
SHA256 and end up with SHA1/SHA512 only.
>>> Please don't. I have more faith in SHA-256 than SHA-512.
>> Uhh, fine - why?
> I think this questi
>> >>> until today our Release files included 3 Hashes for all their entries:
>> >>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
>> >>> MD5SUM in *all* newly generated Release files.
>> >> When will that affect Release files for stable? Next point release?
>> >> Because that
On Mon, Feb 21, 2011 at 09:13:51PM +0100, Joerg Jaspert wrote:
> Care to make a point for the gpg stuff around it within bug
> #612657?
Gladly! Restating and Cc'ing...
While I agree that moving away from SHA-1 is necessary, SHA-512 is
not part of the compatibility set according to the gpg(1) manp
* Joerg Jaspert:
>>> I additionally opened a bug with apt to add support for SHA512SUM, so
>>> we can start using them. As soon as that is possible I intend to drop
>>> SHA256 and end up with SHA1/SHA512 only.
>> Please don't. I have more faith in SHA-256 than SHA-512.
>
> Uhh, fine - why?
I thi
On Mon, 2011-02-21 at 20:58 +0100, Joerg Jaspert wrote:
> >>> until today our Release files included 3 Hashes for all their entries:
> >>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
> >>> MD5SUM in *all* newly generated Release files.
> >> When will that affect Release file
On 2011-02-21, Joerg Jaspert wrote:
until today our Release files included 3 Hashes for all their entries:
MD5SUM, SHA1, SHA256. I just modified the code to no longer include
MD5SUM in *all* newly generated Release files.
>>> When will that affect Release files for stable? Next poin
> It might be worth approaching from a pragmatic perspective... why
> generate SHA-512 checksums when you're only going to be signing a
> SHA-256 digest of that list (that is unless you want to alienate
> users of OpenPGP-compliant tools which don't implement optional
> algorithms). Is it because
>> I additionally opened a bug with apt to add support for SHA512SUM, so
>> we can start using them. As soon as that is possible I intend to drop
>> SHA256 and end up with SHA1/SHA512 only.
> Please don't. I have more faith in SHA-256 than SHA-512.
Uhh, fine - why?
--
bye, Joerg
Well, it's 1 a
>> I additionally opened a bug with apt to add support for SHA512SUM, so
>> we can start using them. As soon as that is possible I intend to drop
>> SHA256 and end up with SHA1/SHA512 only.
> Unfortunately, the algorithm used for the GnuPG signatures (both in
> InRelease and Release.gpg) is SHA-1.
On 12398 March 1977, Joey Hess wrote:
>> until today our Release files included 3 Hashes for all their entries:
>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
>> MD5SUM in *all* newly generated Release files.
> When will that affect Release files for stable? Next point rele
>>> until today our Release files included 3 Hashes for all their entries:
>>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
>>> MD5SUM in *all* newly generated Release files.
>> When will that affect Release files for stable? Next point release?
>> Because that unfortunatly
On Mon, Feb 21, 2011 at 01:05:02PM -0500, Michael Gilbert wrote:
> What indications are there that SHA-512 is weak?
It might be worth approaching from a pragmatic perspective... why
generate SHA-512 checksums when you're only going to be signing a
SHA-256 digest of that list (that is unless you wa
On Mon, 21 Feb 2011 18:55:13 +0100, Florian Weimer wrote:
> * Joerg Jaspert:
>
> > I additionally opened a bug with apt to add support for SHA512SUM, so
> > we can start using them. As soon as that is possible I intend to drop
> > SHA256 and end up with SHA1/SHA512 only.
>
> Please don't. I have
* Joerg Jaspert:
> I additionally opened a bug with apt to add support for SHA512SUM, so
> we can start using them. As soon as that is possible I intend to drop
> SHA256 and end up with SHA1/SHA512 only.
Please don't. I have more faith in SHA-256 than SHA-512.
--
To UNSUBSCRIBE, email to debi
On 2011-02-21, Joey Hess wrote:
> Joerg Jaspert wrote:
>> until today our Release files included 3 Hashes for all their entries:
>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
>> MD5SUM in *all* newly generated Release files.
> When will that affect Release files for stable
On Sun, Feb 20, 2011 at 07:03:11PM +0100, Joerg Jaspert wrote:
> I additionally opened a bug with apt to add support for SHA512SUM, so
> we can start using them. As soon as that is possible I intend to drop
> SHA256 and end up with SHA1/SHA512 only.
Unfortunately, the algorithm used for the GnuPG
Joerg Jaspert wrote:
> until today our Release files included 3 Hashes for all their entries:
> MD5SUM, SHA1, SHA256. I just modified the code to no longer include
> MD5SUM in *all* newly generated Release files.
When will that affect Release files for stable? Next point release?
Because that unfo
33 matches
Mail list logo
