launchpad-reviewers team mailing list archive

[Dimitri John Ledkov <mp+452749@xxxxxxxxxxxxxxxxxx>]

> It's possible this doesn't affect Ubuntu but there were/are tools in Debian
> written before apt-secure that only used MD5Sum when present. Removing that,
> they just don't do any validation.

If they don't support SHA512 signature, they are not validating anything at all.
And if they do support SHA512 signature they must not rely on MD5Sums.
So the set of such tools is either zero, or they are just broken for years now.

Presence of MD5S is causing interoperability already. Presence of SHA1 will cause interoperability with other 140-3 certified systems hitting us next year. Whilst Ubuntu implemented usage flags in our FIPS, many other implementors did not.

This merge proposal is choosing to improve interoperability with too strict programs, at the expense of broken ones. Correctly implemented clients gain performance boost.


> 
> I would not want this to be global, the fields disappearing suddenly in focal-
> updates etc would be awkward; I'd like to see this trialed in mantic+1 and
> proposed pockets first. So that we can see which tools break and fix them
> before users see it.

If requested by launchpad team, I happy to redo this again, but it would require database schema changes to add publisher feature flags. As currently publisher code does not hardcodes any suite names or ranges, whilst hardcoding hashes to use.
-- 
https://code.launchpad.net/~xnox/launchpad/+git/launchpad/+merge/452749
Your team Launchpad code reviewers is requested to review the proposed merge of ~xnox/launchpad:only-sha256 into launchpad:master.