launchpad-reviewers team mailing list archive

[Dimitri John Ledkov <mp+452749@xxxxxxxxxxxxxxxxxx>]

The proposal to merge ~xnox/launchpad:only-sha256 into launchpad:master has been updated.

Commit message changed to:

archivepublisher: consistently use only sha256 for apt archives

Unused hashes are redundant, and are now cauing interop problems with
overly strict programs and humans.

Summary of changes:

 * Remove md5, sha1 from Release, Packages, Sources metadata in
   primary & ppa publisher.

 * Change i18n Index from SHA1 to SHA256. Uncertain if actually used
   by clients.

 * Remove sha512 from Packages & Sources in primary publisher only, do
   not exist anywhere else. (Also see LP: #1536602). Also it is
   noticably slow even on most modern hardware for rudimentary
   repository sizes.

 * Ensure and enforce consistent publishing by both primary & ppa
   publisher, irrespective of host release.

Note Description-md5 is intentionally left in place, as it's actually just a string compare key, and not security sensitive.

Note that overall security is provided by rsa-pkcs1-v1_5 + sha512 signatures since trusty.

Minimum required apt for Launchpad host deployment is 1.1 (Xenial) due to `--no-sha512` option usage.

Minimum required apt for clients is 0.7.7 (Hardy), subject to compatible signing. Minimum required python-apt client patched for verification bypass CVE-2019-15795 https://security-tracker.debian.org/tracker/CVE-2019-15795

This implementation is intentionally global for all suites in both
primary and ppa publishers.

Fixes LP: #1883271

For more details, see:
https://code.launchpad.net/~xnox/launchpad/+git/launchpad/+merge/452749
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~xnox/launchpad:only-sha256 into launchpad:master.