On Sun, Jan 22, 2017 at 12:34:11PM +0100, Bernd Zeimetz wrote:
> afaik people are criticizing that there are still (only) md5sum files in
> /var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make
> sense to replace them.
> (yes, dpkg is not an IDS, but better than nothing...).
I'm wo
On Sun, 2017-01-22 at 13:54:26 +0100, Philipp Kern wrote:
> On 22.01.2017 12:34, Bernd Zeimetz wrote:
> > afaik people are criticizing that there are still (only) md5sum files in
> > /var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make
> > sense to replace them.
> > (yes, dpkg is no
On 22.01.2017 12:34, Bernd Zeimetz wrote:
> afaik people are criticizing that there are still (only) md5sum files in
> /var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make
> sense to replace them.
> (yes, dpkg is not an IDS, but better than nothing...).
Originally the thread was ab
On 01/22/2017 10:49 AM, Philipp Kern wrote:
> On 22.01.2017 00:17, Holger Levsen wrote:
>> We really ought to do the same. I'm all for keeping sha1+sha256, but
>> please let's *completely* drop md5sums for buster.
>
> We already dropped SHA1, FWIW, so it's md5+sha256. And again, the Oracle
> ann
On 22.01.2017 00:17, Holger Levsen wrote:
> We really ought to do the same. I'm all for keeping sha1+sha256, but
> please let's *completely* drop md5sums for buster.
We already dropped SHA1, FWIW, so it's md5+sha256. And again, the Oracle
announcement was about MD5-only, so isn't relevant to the d
Hi,
I'm sorry but I want to amend myself…
On Sat, Jan 21, 2017 at 05:34:41PM +, Holger Levsen wrote:
> > > (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long
> > > do we want to be joked about?)
> > I'm not sure why you say this. More than one hash is strictly better
>
On Sat, Jan 21, 2017 at 06:31:44PM +0100, Philipp Kern wrote:
> AIUI we never exported the .changes files either, which would have
> allowed an independent party to check if the files inserted came from a
> developer or not.
yeah, I consider this another bug.
> > (and btw, let's drop md5sums for
On 19.01.2017 14:27, Holger Levsen wrote:
> On Wed, Jan 18, 2017 at 10:14:46AM +1100, Stuart Prescott wrote:
>> The hashes inside the .dsc file are not used in Debian once the package has
>> been accepted by dak.
>>
>> * The trustable way of getting the source package is with apt-get source,
>>
On Wed, Jan 18, 2017 at 10:14:46AM +1100, Stuart Prescott wrote:
> The hashes inside the .dsc file are not used in Debian once the package has
> been accepted by dak.
>
> * The trustable way of getting the source package is with apt-get source,
> when apt verifies the Release signature → hashes
Stuart Prescott writes ("Re: no-strong-digests-in-dsc MBF"):
> Given the hashes aren't used within Debian and can't be used reliably by
> external parties either, it doesn't feel like a good use of anyone's time.
dgit uses the hashes in the .dsc, both during
Hi Matthias,
On Wed, 18 Jan 2017 00:31:44 Matthias Klumpp wrote:
> > The hashes inside the .dsc file are not used in Debian once the package
> > has
> > been accepted by dak.
>
> I do require them in Debian derivatives (Tanglu / PureOS) and .dsc
> files without the up-to-date signatures are quite
2017-01-18 0:14 GMT+01:00 Stuart Prescott :
> Hi Adrian,
>
>> I want to do a MBF for all packages without a SHA256 checksum field
>> in the .dsc [1] - only SHA1 as hash would not be good in stretch.
>
> I missed two details here:
>
> * why is this worth going at all
>
> * why is this important enou
Hi Adrian,
> I want to do a MBF for all packages without a SHA256 checksum field
> in the .dsc [1] - only SHA1 as hash would not be good in stretch.
I missed two details here:
* why is this worth going at all
* why is this important enough for the bugs to be release-critical (which
means, afte
Adrian Bunk writes:
> I want to do a MBF for all packages without a SHA256 checksum field
> in the .dsc [1] - only SHA1 as hash would not be good in stretch.
Why? The Sources index should have a stronger hash either way.
If you care about stronger hashes in the .dsc itself, wouldn't the .dsc
its
Hi,
I want to do a MBF for all packages without a SHA256 checksum field
in the .dsc [1] - only SHA1 as hash would not be good in stretch.
This is quite easy to fix in a package - all that is required is a
sourceful upload (but a binNMU would not be sufficient).
The steps will be:
1. QA uploads
15 matches
Mail list logo
