Hi, Daniel Kahn Gillmor wrote: > If jigdo would use the SHA256sum entries instead of the MD5 entries when > it is doing ISO assembly, then everyone could still fetch full DVD sets > or BD sized installation ISOs
I am kindof the second-last jigdo export, but not at all with .deb entrails. Are you sure that Debian package management is involved other than maybe with generating the input file for xorrisofs option -md5-list ? In the .jigdo file, which controls the package download operations of jigdo-lite, the MD5 is a key which connects the package file path with a matchable descriptor entry in the .template file bearing the same MD5. A gunzipped .jigdo file bears for example FexKzYyIVG2rRb1UjUKj8Q=Debian:pool/contrib/b/biomaj-watcher/biomaj-watcher_1.2.2-4_all.deb which is the MD5 as base64, "=Debian:" representing the individual part of the mirror URL chosen at download time, and "pool/.../...deb" to depict the invariant package path part on the mirror server. The matching descriptor entry in .template bears the same MD5 and by its position marks the place where to patch the .deb file into the .iso. Maybe Steve McIntyre can say more about how the -md5-list file gets created before xorrisofs is run. > AFAICT, jigdo's last maintenance release (debian version) was nearly two > years ago. Steve seems busy with other stuff. > The last upsteam release (0.7.3) was produced in 2006. This one is dead. At that time, the .jigdo and .template files were generated from existing .iso images by matching the submitted MD5 list against block sequences in the ISO. Steve then taught genisoimage how to produce .jigdo and .template on the fly while producing the .iso image. Before xorriso could take over the job, George Danchev and i extracted Steve's jigdo code into a library named libjte which is then used by xorriso to produce the desired companion files of the .iso. For restoring .iso from jigdo, only jigdo-lite from package jigdo-file is left. Because there is no supported tool for Mac or MS-Windows, i began to describe a jigdo download procedure via a Debian Live ISO: https://wiki.debian.org/JigdoOnLive Main open questions are about how to get a Debian Live connected to the internet if there is non-free firmware needed, and how to access the foreign OS'es filesystems for writing the .jigdo, .template, and .iso files. (I am neither sysadmin nor MS/Mac user.) > Do you have any suggestions to offer to make jigdo work using a modern > cryptographic digest? We would have to team up with Steve to fix the remaining moderate security concerns about the jigdo download process. There are no security concerns about the matching of .template block ranges with package paths, because no man-in-the-middle can alter this mapping, once .jigdo and .template files are verified. MD5 with its 128 bits should be very safe against false identifications if the file count in a .jigdo file stays well below 2 exp 30. The resolution of bug #887830 fixed the most dangerous security gap of using a totally untrusted .jigdo file and a then only MD5-checked .template file. A cautious user can now verify both files before running jigdo-lite. (jigdo-lite will not download again if it finds the files already in the current work directory.) This bug here, #887831, only tries to bring the internal checks of jigdo-lite on the downloaded .template and resulting .iso to the security standard which is recommended but not enforced for download of .jigdo or direct download of .iso. Steve once announced to publish a straightforward instruction of the verification steps from SHA512SUMS.sign, to SHA512SUMS and then to possibly .jigdo and always .iso. I hope he still knows where the draft for this is ... :)) Have a nice day :) Thomas
