debian-cd

Merge lp://staging/~xnox/debian-cd/add_secured-fixes into lp://staging/~ubuntu-cdimage/debian-cd/ubun3

  1. add_secured-fixes
  2. Merge into ubun3
Proposed by Dimitri John Ledkov
Status: Merged
Merged at revision: 2068
Proposed branch: lp://staging/~xnox/debian-cd/add_secured-fixes
Merge into: lp://staging/~ubuntu-cdimage/debian-cd/ubun3
Diff against target: 106 lines (+25/-33)
3 files modified
tools/add_secured (+20/-28)
tools/scanpackages (+3/-3)
tools/scansources (+2/-2)
To merge this branch: bzr merge lp://staging/~xnox/debian-cd/add_secured-fixes
Reviewer Review Type Date Requested Status
Steve Langasek Approve
Review via email: mp+386129@code.staging.launchpad.net

Commit message

drop MD5, SHA1 for iso archive

port add_secured to python3

To post a comment you must log in.
Revision history for this message
Steve Langasek (vorlon) wrote :

why would we want to specifically drop sha512 generation, rather than letting it be present but unused?

Revision history for this message
Steve Langasek (vorlon) :
review: Needs Information
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Hi,

On Sat, 20 Jun 2020, 20:34 Steve Langasek, <email address hidden>
wrote:

> why would we want to specifically drop sha512 generation, rather than
> letting it be present but unused?
>

Currently archive generates md5, sha1, sha256. Whilst cdimage generates
md5, sha1, sha256, sha512. Apt downloads/validates all hashes, even if it
considers them insecure. I have separately asked LP to stop generating
md5/sha1.

Imho, we should be consistent.

Are you saying we should switch to sha512 by default?

Especially since it is faster on 64bit platforms than sha256.

Regards,

Dimitri.

Revision history for this message
Steve Langasek (vorlon) wrote :

I'm not suggesting switching to sha512 by default; I just am not sure of the rationale for dropping sha512 (vs the rationale for dropping md5 and sha1, which are obsolete and insecure).

lp://staging/~xnox/debian-cd/add_secured-fixes updated
2069. By Dimitri John Ledkov

tools: drop MD5, SHA1 for iso packaging metadata

MD5 and SHA1 are no longer trusted, so stop generating them.

Older releases, that still generate d-i based images, prior to bionic
require MD5 for d-i components to operate. Thus keep MD5 in the
Release & d-i suites on xenial and lower.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

> I'm not suggesting switching to sha512 by default; I just am not sure of the
> rationale for dropping sha512 (vs the rationale for dropping md5 and sha1,
> which are obsolete and insecure).

Agree. Code adjusted.

Revision history for this message
Steve Langasek (vorlon) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches