On Thu, Nov 7, 2024 at 10:12 PM Jeremy Stanley wrote:
> [...]
>
> Probably the most convincing reason to replace such uses of MD5 is
> that we collectively get to stop wasting time answering this same
> question over and over and over...
One more datapoint that might be useful AMD/Intel, ARMv
On 2024-11-08 15:41:25 + (+), Jeremy Stanley wrote:
[...]
> Now grab a package file like
> https://deb.debian.org/debian/pool/main/o/openssh/ssh_9.9p1-3_all.deb
> and unpack it (dpkg-deb ssh_9.9p1-3_all.deb foo)
[...]
Hopefully obvious, but that should have been `dpkg-deb -R ...`
instead,
Idézem/Quoting Jeremy Stanley :
Mostly. I don't know that the per-file checksums inside the DEB are
all that useful to "make sure the packages arrived in one piece and
weren't corrupted" since we already have stronger solutions for
that:
I am a frequent debsums runner. debsums alerts you when
On 2024-11-08 04:04:19 + (+), debianmailinglists.hz...@simplelogin.com
wrote:
> I'm not a Debian developer, just a curious onlooker who hasn't
> seen all of these messages, so I could completely off base with my
> understanding of how things work. But, it was my understanding
> that the bu
David Campbell writes:
> To whom it may concern,
>
> dpkg currently uses MD5 to verify packages, but MD5 is considered
> insecure, why not switch to SHA256 (and also update lintian)?
>
> Also, to make verifying packages more useful, why not get a checksum
> from a more trusted source, like a main
From: debianmailinglists.hz...@simplelogin.com:
>
> I'm not a Debian developer, just a curious onlooker who hasn't seen all
> of these messages, so I could completely off base with my understanding
> of how things work. But, it was my understanding that the bundled MD5
> inside a .deb file isn't t
On Thu, Nov 7, 2024 at 10:12 PM Jeremy Stanley wrote:
> [...]
> Probably the most convincing reason to replace such uses of MD5 is
> that we collectively get to stop wasting time answering this same
> question over and over and over...
Hear, hear!
Jeff
I'm not a Debian developer, just a curious onlooker who hasn't seen all of
these messages, so I could completely off base with my understanding of how
things work. But, it was my understanding that the bundled MD5 inside a .deb
file isn't there for security, it's just there to make sure the pack
On 2024-11-07 21:30:26 -0500 (-0500), Jeffrey Walton wrote:
> On Thu, Nov 7, 2024 at 7:22 PM Jeremy Stanley wrote:
> >
> > On 2024-11-07 16:45:54 -0500 (-0500), David Campbell wrote:
> > [...]
> > > dpkg currently uses MD5 to verify packages, but MD5 is considered
> > > insecure, why not switch to
On Thu, Nov 7, 2024 at 7:22 PM Jeremy Stanley wrote:
>
> On 2024-11-07 16:45:54 -0500 (-0500), David Campbell wrote:
> [...]
> > dpkg currently uses MD5 to verify packages, but MD5 is considered
> > insecure, why not switch to SHA256 (and also update lintian)?
> [...]
>
> MD5 is considered insecur
On 2024-11-07 16:45:54 -0500 (-0500), David Campbell wrote:
[...]
> dpkg currently uses MD5 to verify packages, but MD5 is considered
> insecure, why not switch to SHA256 (and also update lintian)?
[...]
MD5 is considered insecure to collision attacks, but mounting one
would require that the creat
Nope, but I thought that may be a way to make check summing more useful.
On 11/7/24 17:08, Jonathan Hutchins wrote:
Do you have any evidence that there has been an attempt to post bogus
packages to the official mirrors?
--
David Campbell
On 2024-11-07 15:45, David Campbell wrote:
To whom it may concern,
dpkg currently uses MD5 to verify packages, but MD5 is considered
insecure, why not switch to SHA256 (and also update lintian)?
Do you have any evidence that there has been an attempt to post bogus
packages to the official mir
To whom it may concern,
dpkg currently uses MD5 to verify packages, but MD5 is considered
insecure, why not switch to SHA256 (and also update lintian)?
Also, to make verifying packages more useful, why not get a checksum
from a more trusted source, like a main Debian package repository to
co
14 matches
Mail list logo
