launchpad-reviewers team mailing list archive

Thread
Date

Re: [Merge] ~xnox/launchpad:only-sha256 into launchpad:master

To: Dimitri John Ledkov <dimitri.ledkov+lp@xxxxxxxxxxxxx>
From: Julian Andres Klode <mp+452749@xxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Dec 2023 07:23:15 -0000
In-reply-to: <169641443863.1290376.11401050162651515039.launchpad@juju-98d295-prod-launchpad-16>
Reply-to: mp+452749@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

We are not able to remove Description-md5. We can add Description-ID instead and then dump SHA256 in there or SHA3 or whatever if people feel happier but for all intents and purposes this could also be a UUID. APT in 24.04 won't care what's in there and isn't able to calculate it itself either.

>From the client side it's just a unique ID to identify the string.

All that really matters is that you don't get two different descriptions the same one, whether you pick MD5, SHA3, a non-cryptographic hash, or a UUID isn't relevant.

Rolling out to older releases is an absolute no-go, at least directly. This will likely break a ton of stuff and we can't just go break production systems.

Like this is nice hardening but we also have much more gaping security holes like trusting 1024 bit RSA keys in OpenPGP and no story to rotate them for PPAs.
-- 
https://code.launchpad.net/~xnox/launchpad/+git/launchpad/+merge/452749
Your team Launchpad code reviewers is requested to review the proposed merge of ~xnox/launchpad:only-sha256 into launchpad:master.