On 01/22/2017 10:49 AM, Philipp Kern wrote: > On 22.01.2017 00:17, Holger Levsen wrote: >> We really ought to do the same. I'm all for keeping sha1+sha256, but >> please let's *completely* drop md5sums for buster. > > We already dropped SHA1, FWIW, so it's md5+sha256. And again, the Oracle > announcement was about MD5-only, so isn't relevant to the discussion. > > I do sympathize with the "drop md5sum to see what breaks". But that's a > discussion for after the release. And how you formulate your argument > does not help your case.
afaik people are criticizing that there are still (only) md5sum files in /var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make sense to replace them. (yes, dpkg is not an IDS, but better than nothing...). -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
