debian-cd

Merge lp:~xnox/debian-cd/add_secured-fixes into lp:~ubuntu-cdimage/debian-cd/ubun3

  1. add_secured-fixes
  2. Merge into ubun3
Proposed by Dimitri John Ledkov
Status: Merged
Merged at revision: 2068
Proposed branch: lp:~xnox/debian-cd/add_secured-fixes
Merge into: lp:~ubuntu-cdimage/debian-cd/ubun3
Diff against target: 106 lines (+25/-33)
3 files modified
tools/add_secured (+20/-28)
tools/scanpackages (+3/-3)
tools/scansources (+2/-2)
To merge this branch: bzr merge lp:~xnox/debian-cd/add_secured-fixes
Reviewer Review Type Date Requested Status
Steve Langasek Approve
Review via email: mp+386129@code.launchpad.net

Commit message

drop MD5, SHA1 for iso archive

port add_secured to python3

To post a comment you must log in.
Revision history for this message
Steve Langasek (vorlon) wrote :

why would we want to specifically drop sha512 generation, rather than letting it be present but unused?

Revision history for this message
Steve Langasek (vorlon) :
review: Needs Information
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Hi,

On Sat, 20 Jun 2020, 20:34 Steve Langasek, <email address hidden>
wrote:

> why would we want to specifically drop sha512 generation, rather than
> letting it be present but unused?
>

Currently archive generates md5, sha1, sha256. Whilst cdimage generates
md5, sha1, sha256, sha512. Apt downloads/validates all hashes, even if it
considers them insecure. I have separately asked LP to stop generating
md5/sha1.

Imho, we should be consistent.

Are you saying we should switch to sha512 by default?

Especially since it is faster on 64bit platforms than sha256.

Regards,

Dimitri.

Revision history for this message
Steve Langasek (vorlon) wrote :

I'm not suggesting switching to sha512 by default; I just am not sure of the rationale for dropping sha512 (vs the rationale for dropping md5 and sha1, which are obsolete and insecure).

lp:~xnox/debian-cd/add_secured-fixes updated
2069. By Dimitri John Ledkov

tools: drop MD5, SHA1 for iso packaging metadata

MD5 and SHA1 are no longer trusted, so stop generating them.

Older releases, that still generate d-i based images, prior to bionic
require MD5 for d-i components to operate. Thus keep MD5 in the
Release & d-i suites on xenial and lower.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

> I'm not suggesting switching to sha512 by default; I just am not sure of the
> rationale for dropping sha512 (vs the rationale for dropping md5 and sha1,
> which are obsolete and insecure).

Agree. Code adjusted.

Revision history for this message
Steve Langasek (vorlon) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'tools/add_secured'
--- tools/add_secured 2016-03-23 18:30:15 +0000
+++ tools/add_secured 2020-06-21 00:38:43 +0000
@@ -20,32 +20,24 @@
20}20}
2121
22# sign22# sign
23if [ -e "dists/$CODENAME/Release" ]; then 23if [ -e "dists/$CODENAME/Release" ]; then
24 # Add the MD5Sum field again24 case $CODENAME in
25 echo "MD5Sum:" >> dists/$CODENAME/Release25 # Prior to bionic, anna only knew how to use MD5Sum, keep it there
26 find dists/$CODENAME/ -name 'Packages' -o -name 'Packages.gz' \26 precise|trusty|xenial)
27 -o -name 'Sources' -o -name 'Sources.gz' -o -name 'Release' | \27 # Add the MD5Sum field again
28 grep -v non-US/ | grep -v dists/$CODENAME/Release | \28 echo "MD5Sum:" >> dists/$CODENAME/Release
29 sed -e "s#^dists/$CODENAME/##" | \29 find dists/$CODENAME/ -name 'Packages' -o -name 'Packages.gz' \
30 (while read file; do \30 -o -name 'Sources' -o -name 'Sources.gz' -o -name 'Release' | \
31 rfile="dists/$CODENAME/$file"; \31 grep -v non-US/ | grep -v dists/$CODENAME/Release | \
32 c=`wc -c < $rfile`; \32 sed -e "s#^dists/$CODENAME/##" | \
33 m=`md5sum < $rfile | cut -d" " -f1`; \33 (while read file; do \
34 printf " %s %8d %s\n" $m $c $file; \34 rfile="dists/$CODENAME/$file"; \
35 done) >> dists/$CODENAME/Release35 c=`wc -c < $rfile`; \
36 # Add the SHA1 field again36 m=`md5sum < $rfile | cut -d" " -f1`; \
37 echo "SHA1:" >> dists/$CODENAME/Release37 printf " %s %8d %s\n" $m $c $file; \
38 find dists/$CODENAME/ -name 'Packages' -o -name 'Packages.gz' \38 done) >> dists/$CODENAME/Release
39 -o -name 'Sources' -o -name 'Sources.gz' -o -name 'Release' | \39 ;;
40 grep -v non-US/ | grep -v dists/$CODENAME/Release | \40 esac
41 sed -e "s#^dists/$CODENAME/##" | \
42 (while read file; do \
43 rfile="dists/$CODENAME/$file"; \
44 c=`wc -c < $rfile`; \
45 m=`sha1sum < $rfile | cut -d" " -f1`; \
46 printf " %s %8d %s\n" $m $c $file; \
47 done) >> dists/$CODENAME/Release
48 sign_release dists/$CODENAME/Release
49 # Add the SHA256 field again41 # Add the SHA256 field again
50 echo "SHA256:" >> dists/$CODENAME/Release42 echo "SHA256:" >> dists/$CODENAME/Release
51 find dists/$CODENAME/ -name 'Packages' -o -name 'Packages.gz' \43 find dists/$CODENAME/ -name 'Packages' -o -name 'Packages.gz' \
@@ -55,7 +47,7 @@
55 (while read file; do \47 (while read file; do \
56 rfile="dists/$CODENAME/$file"; \48 rfile="dists/$CODENAME/$file"; \
57 c=`wc -c < $rfile`; \49 c=`wc -c < $rfile`; \
58 m=`python -c 'import apt_pkg; print apt_pkg.sha256sum(open("'"$rfile"'"))'`; \50 m=`python3 -c 'import apt_pkg; print(apt_pkg.sha256sum(open("'"$rfile"'")))'`; \
59 printf " %s %8d %s\n" $m $c $file; \51 printf " %s %8d %s\n" $m $c $file; \
60 done) >> dists/$CODENAME/Release52 done) >> dists/$CODENAME/Release
61 sign_release dists/$CODENAME/Release53 sign_release dists/$CODENAME/Release
@@ -96,7 +88,7 @@
96 (while read file; do \88 (while read file; do \
97 rfile="dists/$CODENAME/non-US/$file"; \89 rfile="dists/$CODENAME/non-US/$file"; \
98 c=`wc -c < $rfile`; \90 c=`wc -c < $rfile`; \
99 m=`python -c 'import apt_pkg; print apt_pkg.sha256sum(open("'"$rfile"'"))'`; \91 m=`python3 -c 'import apt_pkg; print(apt_pkg.sha256sum(open("'"$rfile"'")))'`; \
100 printf " %s %8d %s\n" $m $c $file; \92 printf " %s %8d %s\n" $m $c $file; \
101 done) >> dists/$CODENAME/non-US/Release93 done) >> dists/$CODENAME/non-US/Release
102 sign_release dists/$CODENAME/non-US/Release94 sign_release dists/$CODENAME/non-US/Release
10395
=== modified file 'tools/scanpackages'
--- tools/scanpackages 2019-10-16 10:25:30 +0000
+++ tools/scanpackages 2020-06-21 00:38:43 +0000
@@ -129,12 +129,12 @@
129fi129fi
130130
131# Generating Packages files131# Generating Packages files
132apt-ftparchive --no-contents generate $PREFIX.generate-binary132apt-ftparchive --no-contents --no-md5 --no-sha1 generate $PREFIX.generate-binary
133if [ -n "$NONUS" ]; then133if [ -n "$NONUS" ]; then
134 apt-ftparchive --no-contents generate $PREFIX.generate-binary-non-US134 apt-ftparchive --no-contents --no-md5 --no-sha1 generate $PREFIX.generate-binary-non-US
135fi135fi
136if [ -e "$MIRROR/dists/$DI_CODENAME/main/debian-installer" ]; then136if [ -e "$MIRROR/dists/$DI_CODENAME/main/debian-installer" ]; then
137 apt-ftparchive --no-contents generate $PREFIX.generate-binary-debian-installer137 apt-ftparchive --no-contents --no-sha1 generate $PREFIX.generate-binary-debian-installer
138fi138fi
139139
140if [ "$PROJECT" != ubuntu-moblin-remix ] && \140if [ "$PROJECT" != ubuntu-moblin-remix ] && \
141141
=== modified file 'tools/scansources'
--- tools/scansources 2007-09-22 15:00:39 +0000
+++ tools/scansources 2020-06-21 00:38:43 +0000
@@ -164,9 +164,9 @@
164 done164 done
165fi165fi
166166
167apt-ftparchive --no-contents generate $PREFIX.generate-source167apt-ftparchive --no-contents --no-md5 --no-sha1 generate $PREFIX.generate-source
168if [ -n "$NONUS" ]; then168if [ -n "$NONUS" ]; then
169 apt-ftparchive --no-contents generate $PREFIX.generate-source-non-US169 apt-ftparchive --no-contents --no-md5 --no-sha1 generate $PREFIX.generate-source-non-US
170fi170fi
171171
172172

Subscribers

People subscribed via source and target branches