Dear all,

Please CC me if anybody feels like answering.

I was shared this [1] and while it's important, it is equally
important to point out that the work isn't complete atm. From what
little I know, almost all Debian's work is now using git (there may be
some subversion, some mercurial repos) but most of the work has now
been using gitlab/salsa [2] . While some of the comments suggest that
SHA-1 is fine for now one doesn't really know. From what little I can
make out, it seems a pretty disruptive change and may have gotchas
also for the reproducible builds project. [3]

Wanna know what people think about it and if there have been plans to
discuss the same. I did take a brief look at debian-project [4] to see
if somebody had approached them for the same as something like this
might be a huge change but saw no messages about it. I am sure people
have a view on the above, this being the security list if for nothing
else.

1. https://lwn.net/SubscriberLink/811068/cfeb6a67b8dfbe47/
2. salsa.debian.org
3. https://wiki.debian.org/ReproducibleBuilds
4. https://lists.debian.org/debian-security

--
Regards,
Shirish Agarwal शिरीष अग्रवाल
My quotes in this email licensed under CC 3.0 http://creativecommons.org/licenses/by-nc/3.0/ http://flossexperiences.wordpress.com

E493 D466 6D67 59F5 1FD0 930F 870E 9A5B 5869 609C

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

shirish शिरीष dijo [Wed, Feb 05, 2020 at 05:00:16PM +0000]:

Dear all,

Please CC me if anybody feels like answering.

I was shared this [1] and while it's important, it is equally
important to point out that the work isn't complete atm. From what
little I know, almost all Debian's work is now using git (there may be
some subversion, some mercurial repos) but most of the work has now
been using gitlab/salsa [2] . While some of the comments suggest that
SHA-1 is fine for now one doesn't really know. From what little I can
make out, it seems a pretty disruptive change and may have gotchas
also for the reproducible builds project. [3]

Hi Shirish!

There is a very nice article presented in LWN two days ago explaining
more the issue; I will send you a personal mail with a free link to it
(for other people, LWN has the policy of opening their paid content a
week after publication, so please just wait for five more days).

https://lwn.net/Articles/811068/

Git is working towards being able to migrate to SHA256, and future
migrations will probably be easier. As of right now, due to the way
Git uses the hashes, danger is _not_ imminent and we can keep using
it safely; Debian depends on upstream support first being ready before
we introduce said changes; even after we introduce them, we need to
keep older versions supported at least for a stable+oldstable
cycle. So, no, support for SHA1-Git will not be dropped within any
forseeable future :-Þ

Greetings,

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* shirish शिरीष:

I was shared this [1] and while it's important, it is equally
important to point out that the work isn't complete atm. From what
little I know, almost all Debian's work is now using git (there may be
some subversion, some mercurial repos) but most of the work has now
been using gitlab/salsa [2] .

1. https://lwn.net/SubscriberLink/811068/cfeb6a67b8dfbe47/
2. salsa.debian.org

The Salsa service is not essential for package maintenance and is kept
at arm's length from the archive. Debian does not build directly out
of Git, uploaders still have to create a self-contained source package
by an out-of-bands process. Whether that is better than building from essentially a SHA-1 hash (like building out of Git would be like in
some obvious implementations) in terms of the audit trail it provides
is difficult to decide.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)