Hi! On Thu, 2023-06-01 at 19:06:34 +0200, Guillem Jover wrote: > > ------------------ 原始邮件 ------------------ > > 发件人: "Guillem Jover"<guil...@debian.org>; > > 发送时间: 2023年6月1日(星期四) 凌晨5:33 > > 收件人: "sweetyfish"<sweetyf...@deepin.org>; > > 抄送: "debian-dpkg"<debian-dpkg@lists.debian.org>; > > "lichenggang"<lichengg...@uniontech.com>; > > 主题: Re: [PATCH] dpkg-scanpackages: Add sha512 support > > > Thanks for the patch! Although I've had this implemented with > > <https://git.hadrons.org/git/debian/dpkg/dpkg.git/commit/?h=pu/sha-512&id=4df34f697309a816f6e137f13296270ea84ed938> > > for some time. The problem is that this would require first checking > > that consumers can cope with the new field, and do not reject files > > containing them (.dsc, .buildinfo, .changes, Packages, Sources, etc). > > Then at least in Debian checking whether the added fields incur too > > much bloat, for the potential security benefit they might bring. > > (Offsetting this by removing fields would probably imply having to > > bump the format versions for various of the involved files containing > > these removed files.)
> On Thu, 2023-06-01 at 09:27:09 +0800, 李成刚 wrote: > > Thank you very much for your work, we use obs > > (https://openbuildservice.org/) to build the platform, obs uses > > dpkg-scanpackages to generate warehouses, dpkg-scanpackages does > > not support sha512, and there are some wrong behaviors when mixed > > with our other warehouses > > As discussed on IRC with sweetyfish, it looks like apt and Ubuntu's > archive software (via Launchpad.net) at least support SHA512 hashes. > I see reprepro gained support for them last year. So I assume things > in general would not break. But if you are seeing breakage somewhere > that's worth investigating as these should be optional fields that > would in general only cause failures if they are missing and there are > only weak ones present. > > As mentioned above, and on IRC, adding support for this > unconditionally would require checking whether DAK (the Debian Archive > Kit software that manages the Debian archive) does not reject uploads > using those hashes, and if so adding support for them, and then for > Debian a discussion would be needed to see whether the potential bloat > is worth it. This has been discussed in the past and there didn't seem much enthusiasm at the time, but then that was 10 years ago: https://lists.debian.org/debian-devel/2012/10/msg00159.html https://lists.debian.org/debian-devel/2013/08/msg00033.html For reference there's also this draft spec that is relevant here: https://wiki.debian.org/Teams/Dpkg/Spec/ChangesFormat2.0 > If you manage to find the reason for your issues, and that requires > adding these hashes, then I could see adding support for conditionally > enabling them, but that might end up not being a trivial change, as > this would need to be passed down from dpkg-buildpackage to dpkg-source > and dpkg-genbuildinfo for example, although not an insurmountable one. After discussion this further on IRC, AFAIUI this was just a request to add the support simply to use it, apparently nothing was breaking, I just got that impression from the original mail. In any case I started to look into untangling this yesterday, and have some code which would be targeted at 1.22.x. Thanks, Guillem
