Re: Debian SHA-1 deprecation

To: debian-security@lists.debian.org
Subject: Re: Debian SHA-1 deprecation
From: Paul Wise <pabs@debian.org>
Date: Thu, 19 May 2016 09:21:50 +0800
Message-id: <[🔎] CAKTje6FS0gsez0pn1REe3cXpd+_hcgd8kpGyK679xto_Q2ETRA@mail.gmail.com>
In-reply-to: <[🔎] d6668eb1-f485-bbf9-2d52-82ae376c6001@gmail.com>
References: <[🔎] 573C6C18.7080805@pocock.pro> <[🔎] d6668eb1-f485-bbf9-2d52-82ae376c6001@gmail.com>

On Wed, May 18, 2016 at 11:09 PM, Elmar Stellnberger wrote:

>   Besides these issues; has anyone ever thought of deprecating md5sum-s in
> package headers and using sha256sums instead? That would be of great help
> for tools like debsums or https://www.elstel.org/debcheckroot.

AFAIK the md5sums in binary package files aren't intended to be a
security feature. The package metadata already uses SHA-2.

debcheckroot doesn't look like something that could ever do something
useful, there are so many files in a Debian rootfs that are
dynamically generated from package maintainer scripts rather shipping
in the package itself. Run cruft-ng and you will see just how much.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

References:
- Debian SHA-1 deprecation
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: Debian SHA-1 deprecation
  - From: Elmar Stellnberger <estellnb@gmail.com>

Prev by Date: Re: Debian SHA-1 deprecation
Next by Date: Re: Which Debian packages leak information to the network?
Previous by thread: Re: Debian SHA-1 deprecation
Next by thread: Re: Debian SHA-1 deprecation
Index(es):
- Date
- Thread