* Paul Wise <p...@debian.org> [130802 15:54]: > > In any case, removing md5 support seems like a bad idea to me right > > now, as older software might not have been adapted to check the other > > hashes, or would imply breaking the current .dsc and ,changes formats, > > as the Files field uses md5. > > We've had SHA1 since before snapshot.d.o data started (2005), I would > guess any relevant software would have been updated in the last 8 > years.
In 2008 ubuntu had Sha256Sums wrong which showed that back then almost not software even bothered to check those fields: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/243630 non-md5sum hashses in Sources generated by DAK were incomplete until the generation code moved away from apt-ftparchive (early 2011 I think), thus only the Files: part with md5sums was the only reliable way to get the list of all files belonging to it. Support for non-md5sum hashes was added to dpkg-scansources/apt-ftparchive with apt (0.7.25.3) released to unstable 2010-02-01, first released with squeeze. So it is not some 8 years. It is more "since squeeze" that Debian and some of the common tools even produce complete non-md5sum hashes in Sources indices. reprepro for example only tries to support source indices without "Files" (i.e. md5sum hashes) since 4.12.0 (i.e. since wheezy). Bernhard R. Link -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130803075234.ga3...@client.brlink.eu
