From: 李成刚 <lichenggang@uniontech.com>
------------------ 原始邮件 ------------------ 发件人: "Guillem Jover"<guillem@debian.org>; 发送时间: 2023年6月1日(星期四) 凌晨5:33 收件人: "sweetyfish"<sweetyfish@deepin.org>; 抄送: "debian-dpkg"<debian-dpkg@lists.debian.org>; "lichenggang"<lichenggang@uniontech.com>;
主题: Re: [PATCH] dpkg-scanpackages: Add sha512 support
Thanks for the patch! Although I've had this implemented with <https://git.hadrons.org/git/debian/dpkg/dpkg.git/commit/?h=pu/sha-512&id=4df34f697309a816f6e137f13296270ea84ed938>
for some time. The problem is that this would require first checking
that consumers can cope with the new field, and do not reject files containing them (.dsc, .buildinfo, .changes, Packages, Sources, etc).
Then at least in Debian checking whether the added fields incur too
much bloat, for the potential security benefit they might bring.
(Offsetting this by removing fields would probably imply having to
bump the format versions for various of the involved files containing
these removed files.)
I'd be interested to know the motivation for this submission, and
depending on the reasoning perhaps I could modify the original patch
and make the support available but disabled by default. Also I've for
long been unsatisfied that the available support implies automatic
addition to all supported file formats, so I might also end up
untangling them.
Thank you very much for your work, we use obs
(https://openbuildservice.org/) to build the platform, obs uses dpkg-scanpackages to generate warehouses, dpkg-scanpackages does
not support sha512, and there are some wrong behaviors when mixed
with our other warehouses
------------------ 原始邮件 ------------------ 发件人: "Guillem Jover"<guillem@debian.org>; 发送时间: 2023年6月1日(星期四) 凌晨5:33 收件人: "sweetyfish"<sweetyfish@deepin.org>; 抄送: "debian-dpkg"<debian-dpkg@lists.debian.org>; "lichenggang"<lichenggang@uniontech.com>;
主题: Re: [PATCH] dpkg-scanpackages: Add sha512 support
Thanks for the patch! Although I've had this implemented with <https://git.hadrons.org/git/debian/dpkg/dpkg.git/commit/?h=pu/sha-512&id=4df34f697309a816f6e137f13296270ea84ed938>
for some time. The problem is that this would require first checking
that consumers can cope with the new field, and do not reject files containing them (.dsc, .buildinfo, .changes, Packages, Sources, etc).
Then at least in Debian checking whether the added fields incur too
much bloat, for the potential security benefit they might bring. (Offsetting this by removing fields would probably imply having to
bump the format versions for various of the involved files containing
these removed files.)
On Thu, 2023-06-01 at 09:27:09 +0800, 李成刚 wrote:
Thank you very much for your work, we use obs (https://openbuildservice.org/) to build the platform, obs uses dpkg-scanpackages to generate warehouses, dpkg-scanpackages does
not support sha512, and there are some wrong behaviors when mixed
with our other warehouses
As discussed on IRC with sweetyfish, it looks like apt and Ubuntu's
archive software (via Launchpad.net) at least support SHA512 hashes.
I see reprepro gained support for them last year. So I assume things
in general would not break. But if you are seeing breakage somewhere
that's worth investigating as these should be optional fields that
would in general only cause failures if they are missing and there are
only weak ones present.
As mentioned above, and on IRC, adding support for this
unconditionally would require checking whether DAK (the Debian Archive
Kit software that manages the Debian archive) does not reject uploads
using those hashes, and if so adding support for them, and then for
Debian a discussion would be needed to see whether the potential bloat
is worth it.
If you manage to find the reason for your issues, and that requires
adding these hashes, then I could see adding support for conditionally enabling them, but that might end up not being a trivial change, as
this would need to be passed down from dpkg-buildpackage to dpkg-source
and dpkg-genbuildinfo for example, although not an insurmountable one.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 39:39:39 |
Calls: | 6,708 |
Calls today: | 1 |
Files: | 12,241 |
Messages: | 5,353,642 |