Merge lp:~xnox/debian-cd/add_secured-fixes into lp:~ubuntu-cdimage/debian-cd/ubun3

Proposed by Dimitri John Ledkov
Status: Merged
Merged at revision: 2068
Proposed branch: lp:~xnox/debian-cd/add_secured-fixes
Merge into: lp:~ubuntu-cdimage/debian-cd/ubun3
Diff against target: 106 lines (+25/-33)
3 files modified
tools/add_secured (+20/-28)
tools/scanpackages (+3/-3)
tools/scansources (+2/-2)
To merge this branch: bzr merge lp:~xnox/debian-cd/add_secured-fixes
Reviewer Review Type Date Requested Status
Steve Langasek Approve
Review via email: mp+386129@code.launchpad.net

Commit message

drop MD5, SHA1 for iso archive

port add_secured to python3

To post a comment you must log in.
Revision history for this message
Steve Langasek (vorlon) wrote :

why would we want to specifically drop sha512 generation, rather than letting it be present but unused?

Revision history for this message
Steve Langasek (vorlon) :
review: Needs Information
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Hi,

On Sat, 20 Jun 2020, 20:34 Steve Langasek, <email address hidden>
wrote:

> why would we want to specifically drop sha512 generation, rather than
> letting it be present but unused?
>

Currently archive generates md5, sha1, sha256. Whilst cdimage generates
md5, sha1, sha256, sha512. Apt downloads/validates all hashes, even if it
considers them insecure. I have separately asked LP to stop generating
md5/sha1.

Imho, we should be consistent.

Are you saying we should switch to sha512 by default?

Especially since it is faster on 64bit platforms than sha256.

Regards,

Dimitri.

Revision history for this message
Steve Langasek (vorlon) wrote :

I'm not suggesting switching to sha512 by default; I just am not sure of the rationale for dropping sha512 (vs the rationale for dropping md5 and sha1, which are obsolete and insecure).

lp:~xnox/debian-cd/add_secured-fixes updated
2069. By Dimitri John Ledkov

tools: drop MD5, SHA1 for iso packaging metadata

MD5 and SHA1 are no longer trusted, so stop generating them.

Older releases, that still generate d-i based images, prior to bionic
require MD5 for d-i components to operate. Thus keep MD5 in the
Release & d-i suites on xenial and lower.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

> I'm not suggesting switching to sha512 by default; I just am not sure of the
> rationale for dropping sha512 (vs the rationale for dropping md5 and sha1,
> which are obsolete and insecure).

Agree. Code adjusted.

Revision history for this message
Steve Langasek (vorlon) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'tools/add_secured'
2--- tools/add_secured 2016-03-23 18:30:15 +0000
3+++ tools/add_secured 2020-06-21 00:38:43 +0000
4@@ -20,32 +20,24 @@
5 }
6
7 # sign
8-if [ -e "dists/$CODENAME/Release" ]; then
9- # Add the MD5Sum field again
10- echo "MD5Sum:" >> dists/$CODENAME/Release
11- find dists/$CODENAME/ -name 'Packages' -o -name 'Packages.gz' \
12- -o -name 'Sources' -o -name 'Sources.gz' -o -name 'Release' | \
13- grep -v non-US/ | grep -v dists/$CODENAME/Release | \
14- sed -e "s#^dists/$CODENAME/##" | \
15- (while read file; do \
16- rfile="dists/$CODENAME/$file"; \
17- c=`wc -c < $rfile`; \
18- m=`md5sum < $rfile | cut -d" " -f1`; \
19- printf " %s %8d %s\n" $m $c $file; \
20- done) >> dists/$CODENAME/Release
21- # Add the SHA1 field again
22- echo "SHA1:" >> dists/$CODENAME/Release
23- find dists/$CODENAME/ -name 'Packages' -o -name 'Packages.gz' \
24- -o -name 'Sources' -o -name 'Sources.gz' -o -name 'Release' | \
25- grep -v non-US/ | grep -v dists/$CODENAME/Release | \
26- sed -e "s#^dists/$CODENAME/##" | \
27- (while read file; do \
28- rfile="dists/$CODENAME/$file"; \
29- c=`wc -c < $rfile`; \
30- m=`sha1sum < $rfile | cut -d" " -f1`; \
31- printf " %s %8d %s\n" $m $c $file; \
32- done) >> dists/$CODENAME/Release
33- sign_release dists/$CODENAME/Release
34+if [ -e "dists/$CODENAME/Release" ]; then
35+ case $CODENAME in
36+ # Prior to bionic, anna only knew how to use MD5Sum, keep it there
37+ precise|trusty|xenial)
38+ # Add the MD5Sum field again
39+ echo "MD5Sum:" >> dists/$CODENAME/Release
40+ find dists/$CODENAME/ -name 'Packages' -o -name 'Packages.gz' \
41+ -o -name 'Sources' -o -name 'Sources.gz' -o -name 'Release' | \
42+ grep -v non-US/ | grep -v dists/$CODENAME/Release | \
43+ sed -e "s#^dists/$CODENAME/##" | \
44+ (while read file; do \
45+ rfile="dists/$CODENAME/$file"; \
46+ c=`wc -c < $rfile`; \
47+ m=`md5sum < $rfile | cut -d" " -f1`; \
48+ printf " %s %8d %s\n" $m $c $file; \
49+ done) >> dists/$CODENAME/Release
50+ ;;
51+ esac
52 # Add the SHA256 field again
53 echo "SHA256:" >> dists/$CODENAME/Release
54 find dists/$CODENAME/ -name 'Packages' -o -name 'Packages.gz' \
55@@ -55,7 +47,7 @@
56 (while read file; do \
57 rfile="dists/$CODENAME/$file"; \
58 c=`wc -c < $rfile`; \
59- m=`python -c 'import apt_pkg; print apt_pkg.sha256sum(open("'"$rfile"'"))'`; \
60+ m=`python3 -c 'import apt_pkg; print(apt_pkg.sha256sum(open("'"$rfile"'")))'`; \
61 printf " %s %8d %s\n" $m $c $file; \
62 done) >> dists/$CODENAME/Release
63 sign_release dists/$CODENAME/Release
64@@ -96,7 +88,7 @@
65 (while read file; do \
66 rfile="dists/$CODENAME/non-US/$file"; \
67 c=`wc -c < $rfile`; \
68- m=`python -c 'import apt_pkg; print apt_pkg.sha256sum(open("'"$rfile"'"))'`; \
69+ m=`python3 -c 'import apt_pkg; print(apt_pkg.sha256sum(open("'"$rfile"'")))'`; \
70 printf " %s %8d %s\n" $m $c $file; \
71 done) >> dists/$CODENAME/non-US/Release
72 sign_release dists/$CODENAME/non-US/Release
73
74=== modified file 'tools/scanpackages'
75--- tools/scanpackages 2019-10-16 10:25:30 +0000
76+++ tools/scanpackages 2020-06-21 00:38:43 +0000
77@@ -129,12 +129,12 @@
78 fi
79
80 # Generating Packages files
81-apt-ftparchive --no-contents generate $PREFIX.generate-binary
82+apt-ftparchive --no-contents --no-md5 --no-sha1 generate $PREFIX.generate-binary
83 if [ -n "$NONUS" ]; then
84- apt-ftparchive --no-contents generate $PREFIX.generate-binary-non-US
85+ apt-ftparchive --no-contents --no-md5 --no-sha1 generate $PREFIX.generate-binary-non-US
86 fi
87 if [ -e "$MIRROR/dists/$DI_CODENAME/main/debian-installer" ]; then
88- apt-ftparchive --no-contents generate $PREFIX.generate-binary-debian-installer
89+ apt-ftparchive --no-contents --no-sha1 generate $PREFIX.generate-binary-debian-installer
90 fi
91
92 if [ "$PROJECT" != ubuntu-moblin-remix ] && \
93
94=== modified file 'tools/scansources'
95--- tools/scansources 2007-09-22 15:00:39 +0000
96+++ tools/scansources 2020-06-21 00:38:43 +0000
97@@ -164,9 +164,9 @@
98 done
99 fi
100
101-apt-ftparchive --no-contents generate $PREFIX.generate-source
102+apt-ftparchive --no-contents --no-md5 --no-sha1 generate $PREFIX.generate-source
103 if [ -n "$NONUS" ]; then
104- apt-ftparchive --no-contents generate $PREFIX.generate-source-non-US
105+ apt-ftparchive --no-contents --no-md5 --no-sha1 generate $PREFIX.generate-source-non-US
106 fi
107
108

Subscribers

People subscribed via source and target branches