Hi, i wrote: > > [...] MD5s. I'd rather characterize them as relation keys and as > > transport checksums.
Steve McIntyre wrote: > It's *also* checking for potential corruption in the mirror at build > time. MD5 is well suited for that, as long as this is not considered to be part of an intrusion detection system. > > I wonder whether it is really that hard for debian-cd to compute the MD5s > > on its own, before it runs xorriso. > But that loses the mirror-checking feature that I'd like to keep. How about mirror checking by SHA256 in grab_md5, before computing the MD5 for jigdo ? This would authorize the MD5 in a similar strength as it is currently by the list from which grab_md5 reads it. > I *do* want to update things here, and it's not far off done AFAICS. But the confusion caused by the format change ... "old-old-stable" not being able to download the full DVD set of "stable". > I'm looking at moving to sha256 now, and this will pull through the whole > pipeline. Don't forget to notify me when a new libjte tarball is ready for inclusion in GNU xorriso. Have a nice day :) Thomas
