lp should generate 512sums in apt release files
Bug #1536602 reported by
Dimitri John Ledkov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
lp should generate 512sums in apt release files
Looking at:
http://
It is sha512-signed file with highest checksums for included files being sha256
lp should generate SHA512 sums for published archives.
Related branches
~xnox/launchpad:only-sha256
On hold
for merging
into
launchpad:master
- Steve Langasek (community): Abstain
- Andy Whitcroft: Pending requested
- Ubuntu Package Archive Administrators: Pending requested
- Canonical Security Team: Pending requested
- Julian Andres Klode: Pending requested
- Launchpad code reviewers: Pending requested
-
Diff: 526 lines (+52/-126)9 files modifiedlib/lp/archivepublisher/indices.py (+0/-10)
lib/lp/archivepublisher/model/ftparchive.py (+11/-1)
lib/lp/archivepublisher/publishing.py (+2/-26)
lib/lp/archivepublisher/tests/apt-data/Packages (+0/-3)
lib/lp/archivepublisher/tests/apt-data/Sources (+0/-10)
lib/lp/archivepublisher/tests/test_generate_contents_files.py (+1/-1)
lib/lp/archivepublisher/tests/test_indices.py (+2/-22)
lib/lp/archivepublisher/tests/test_publish_ftpmaster.py (+3/-2)
lib/lp/archivepublisher/tests/test_publisher.py (+33/-51)
Changed in launchpad: | |
status: | New → Won't Fix |
To post a comment you must log in.
SHA-512 doesn't offer any serious benefits over SHA-256 now, and both being slight variants within the SHA-2 family it's not likely that this will change soon. Since SHA-512 would hugely bloat the compressed and uncompressed sizes of Release and Packages, the cons far outweigh the pros.
If I had been involved in implementing apt's SHA-2 support, I would have gone with SHA-512/256 to gain possible future proofness from SHA-512 while eliminating length extension attacks and the size downside, but SHA-256 is the best SHA-2 tradeoff supported by apt today.