Release file changes
On 2011-02-21, Joey Hess <joeyh@debian.org> wrote:
> Joerg Jaspert wrote: >> until today our Release files included 3 Hashes for all their entries: >> MD5SUM, SHA1, SHA256. I just modified the code to no longer include >> MD5SUM in *all* newly generated Release files. > When will that affect Release files for stable? Next point release? > Because that unfortunatly completly breaks debmirror.. It did suddenly change for squeeze-updates without consultation with the suite admins. I expect that this is reverted. The SRMs will not allow this change to affect oldstable's or stable's Release files at point release time. (Lucky enough they cannot be changed without invalidating the signatures.) Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: slrnim55tg.9gd.trash@kelgar.0x539.de">http://lists.debian.org/slrnim55tg.9gd.trash@kelgar.0x539.de |
Release file changes
* Joerg Jaspert:
> I additionally opened a bug with apt to add support for SHA512SUM, so > we can start using them. As soon as that is possible I intend to drop > SHA256 and end up with SHA1/SHA512 only. Please don't. I have more faith in SHA-256 than SHA-512. -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 8762sdff26.fsf@mid.deneb.enyo.de">http://lists.debian.org/8762sdff26.fsf@mid.deneb.enyo.de |
Release file changes
On Mon, 21 Feb 2011 18:55:13 +0100, Florian Weimer wrote:
> * Joerg Jaspert: > > > I additionally opened a bug with apt to add support for SHA512SUM, so > > we can start using them. As soon as that is possible I intend to drop > > SHA256 and end up with SHA1/SHA512 only. > > Please don't. I have more faith in SHA-256 than SHA-512. What indications are there that SHA-512 is weak? Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20110221130502.dfb4c885.michael.s.gilbert@gmail.co m">http://lists.debian.org/20110221130502.dfb4c885.michael.s.gilbert@gmail.co m |
Release file changes
On Mon, Feb 21, 2011 at 01:05:02PM -0500, Michael Gilbert wrote:
> What indications are there that SHA-512 is weak? It might be worth approaching from a pragmatic perspective... why generate SHA-512 checksums when you're only going to be signing a SHA-256 digest of that list (that is unless you want to alienate users of OpenPGP-compliant tools which don't implement optional algorithms). Is it because you feel SHA-512 is more tamper-resistant, or because you're worried that you might wind up with two entries accidentally colliding over the same SHA-256 hash (which is pretty unlikely statistically speaking, and even then may not be particularly relevant depending on the use case for the hashes). -- { IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829); WHOIS(STANL3-ARIN); SMTP(fungi@yuggoth.org); FINGER(fungi@yuggoth.org); MUD(kinrui@katarsis.mudpy.org:6669); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); } -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20110221192243.GK1293@yuggoth.org">http://lists.debian.org/20110221192243.GK1293@yuggoth.org |
Release file changes
>>> until today our Release files included 3 Hashes for all their entries:
>>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include >>> MD5SUM in *all* newly generated Release files. >> When will that affect Release files for stable? Next point release? >> Because that unfortunatly completly breaks debmirror.. > It did suddenly change for squeeze-updates without consultation with the > suite admins. I expect that this is reverted. Good laugh that is. -- bye, Joerg Lisa, you’re a Buddhist, so you believe in reincarnation. Eventually, Snowball will be reborn as a higher life form… like a snowman. -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 87y659tb18.fsf@gkar.ganneff.de">http://lists.debian.org/87y659tb18.fsf@gkar.ganneff.de |
Release file changes
On 12398 March 1977, Joey Hess wrote:
>> until today our Release files included 3 Hashes for all their entries: >> MD5SUM, SHA1, SHA256. I just modified the code to no longer include >> MD5SUM in *all* newly generated Release files. > When will that affect Release files for stable? Next point release? > Because that unfortunatly completly breaks debmirror.. Yep. debmirror, reprepro, debootstrap and cdebootstrap seem to be the tools that can't deal with this. The latter two are serious enough to keep the change away from oldstable forever, and stable at least until after next point release, should they get updated there. > Also, I'll see about getting d-i generating some stronger checksum files > now that it's been pointed out. Although I wonder if it would make more > sense to generate those checksums on the server side. Well, the files currently come from the d-i builds. Makes sense, it shows what the build host expects them to be, not what a *possible* corruption during transport to us and unpack made them. How likely such a corruption is is a different topic, but the theoretical possibility is there. And we ARE using the MD5SUMS file when we accept the d-i tarballs to check if it actually matches, so I think we should keep that. Please ping me when you start providing additional checksum files (if possible before the debian-installer-images upload, so I can have the byhand and release file generation script adjusted). -- bye, Joerg I'm having the best day of my life, and I owe it all to not going to Church! -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 87tyfxtap3.fsf@gkar.ganneff.de">http://lists.debian.org/87tyfxtap3.fsf@gkar.ganneff.de |
Release file changes
>> I additionally opened a bug with apt to add support for SHA512SUM, so
>> we can start using them. As soon as that is possible I intend to drop >> SHA256 and end up with SHA1/SHA512 only. > Unfortunately, the algorithm used for the GnuPG signatures (both in > InRelease and Release.gpg) is SHA-1. Removing SHA-256 in favor of > SHA-512 does not increase security because the signatures are the > weakest point. See #612657 for more details. Well, a slightly different point then reducing yourself to just 2 hashes, but yes, we should look to change that part too. -- bye, Joerg Son, when you participate in sporting events, it's not whether you win or lose: it's how drunk you get. -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 87pqqltaid.fsf@gkar.ganneff.de">http://lists.debian.org/87pqqltaid.fsf@gkar.ganneff.de |
Release file changes
>> I additionally opened a bug with apt to add support for SHA512SUM, so
>> we can start using them. As soon as that is possible I intend to drop >> SHA256 and end up with SHA1/SHA512 only. > Please don't. I have more faith in SHA-256 than SHA-512. Uhh, fine - why? -- bye, Joerg Well, it's 1 a.m. Better go home and spend some quality time with the kids. -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 87fwrhtadq.fsf@gkar.ganneff.de">http://lists.debian.org/87fwrhtadq.fsf@gkar.ganneff.de |
Release file changes
On 2011-02-21, Joerg Jaspert <joerg@debian.org> wrote:
>>>> until today our Release files included 3 Hashes for all their entries: >>>> MD5SUM, SHA1, SHA256. I just modified the code to no longer include >>>> MD5SUM in *all* newly generated Release files. >>> When will that affect Release files for stable? Next point release? >>> Because that unfortunatly completly breaks debmirror.. >> It did suddenly change for squeeze-updates without consultation with the >> suite admins. I expect that this is reverted. > Good laugh that is. Seriously? Child's play with productive stable suites, breaking tools in the process and then not fixing it up? And no, just telling people to update their tools in stable is not the way to go here. Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: slrnim5hrp.9ov.trash@kelgar.0x539.de">http://lists.debian.org/slrnim5hrp.9ov.trash@kelgar.0x539.de |
Release file changes
> It might be worth approaching from a pragmatic perspective... why
> generate SHA-512 checksums when you're only going to be signing a > SHA-256 digest of that list (that is unless you want to alienate > users of OpenPGP-compliant tools which don't implement optional > algorithms). Is it because you feel SHA-512 is more > tamper-resistant, or because you're worried that you might wind up > with two entries accidentally colliding over the same SHA-256 hash > (which is pretty unlikely statistically speaking, and even then may > not be particularly relevant depending on the use case for the > hashes). Care to make a point for the gpg stuff around it within bug #612657? -- bye, Joerg <snooze02> sind jabber und icq 2 unterschiedliche netzwerke ? -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 87bp25tabk.fsf@gkar.ganneff.de">http://lists.debian.org/87bp25tabk.fsf@gkar.ganneff.de |
| All times are GMT. The time now is 11:52 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.