On Thu, Oct 24, 2019 at 12:56:53PM +0200, Thomas Schmitt wrote: >Hi, > >i wrote: >> > [...] MD5s. I'd rather characterize them as relation keys and as >> > transport checksums. > >Steve McIntyre wrote: >> It's *also* checking for potential corruption in the mirror at build >> time. > >MD5 is well suited for that, as long as this is not considered to be part >of an intrusion detection system.
Exactly. >> > I wonder whether it is really that hard for debian-cd to compute the MD5s >> > on its own, before it runs xorriso. > >> But that loses the mirror-checking feature that I'd like to keep. > >How about mirror checking by SHA256 in grab_md5, before computing the >MD5 for jigdo ? That's slow, doing two passes of MD5: one here, one later on when we're doing the I/O anyway. I'd much rather just switch from md5 to sha256 in both places and use the already-available checksum data. That's a lot of the point of the JTE design in the first place. >> I *do* want to update things here, and it's not far off done AFAICS. > >But the confusion caused by the format change ... >"old-old-stable" not being able to download the full DVD set of "stable". It'll take time to switch everything - I'll make an EOL announcement. >> I'm looking at moving to sha256 now, and this will pull through the whole >> pipeline. > >Don't forget to notify me when a new libjte tarball is ready for inclusion >in GNU xorriso. Yup, of course. :-) -- Steve McIntyre, Cambridge, UK. st...@einval.com "I suspect most samba developers are already technically insane... Of course, since many of them are Australians, you can't tell." -- Linus Torvalds
