Package: jigdo-file Severity: normal Tags: upstream Dear Maintainer,
as described in https://lists.debian.org/debian-cd/2018/01/msg00021.html jigdo-file verifies the .template file and the resulting ISO image only by MD5 checksums which stem from the .jigdo file. This is good enough for recognizing the packages which shall be grafted into the emerging ISO and for detecting transport errors. But as soon as the .jigdo files are verificable by the *SUMS and *SUMS.sign, the MD5s will be a weak part of the verification chain. Three softwares from 2 packages are involved: - jigdo-lite from package jigdo-file verifies the .template file by line "Template-MD5Sum" from the .jigdo file. The MD5 computation for the downloaded .template file is done by program jigdo-file. - jigdo-file command "verify" reads the ISO image MD5 from the end of the .template file and compares it with the MD5 calculated from the image file. There are better image chwcksums in the .jigdo file. - libjte from package jigit produces the .jigdo and .template files for most Debian ISOs. It could well compute better checksums for .template and put them into the .jigdo file. Changing the .template format seems more tricky. I am not aware of any description of its format. It would have to be deduced from the code of jigdo-file or libjte. Have a nice day :) Thomas
