On Wed 2019-10-23 16:39:24 +0100, Steve McIntyre wrote:
> On Tue, Oct 22, 2019 at 11:51:56PM +0200, Ansgar wrote:
>> - writing MD5sum in a separate file only used by debian-cd (if present,
>>   otherwise debian-cd should fall back to using Packages), or

Sounds like this is the only option available given the constraints of
deployed systems in the field.

What parts of debian's internal machinery need to be updated to do such
a thing?

> I've started a local branch to update jigdo and jigit/libjte to use
> sha256 some time ago, but -ENOTIME.

Bummer, and i feel for you.

Perhaps we should officially EOL jigdo now, if no one has time to work
on it.

Obviously, we'd continue supporting deployed legacy systems and give
them a chance (one release cycle?) to switch to something that is
actually maintained, but it is doing them no favors to pretend that a
system they're relying on is getting maintenance when no one has time to
work on it.

> As mentioned in IRC yesterday, we will also need some time to update
> clients in the field to be able to upgrade safely. That includes
> Windows binaries (yay!)...

The time to update (or deprecate) deployed clients that depend on md5
for object integrity was something like 8 years ago when RFC 6151 was
published :(


Attachment: signature.asc
Description: PGP signature

Reply via email to