This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=4ed783dc7f83f97642ca206d05fc155c636dfb3a commit 4ed783dc7f83f97642ca206d05fc155c636dfb3a Author: Guillem Jover <guil...@debian.org> AuthorDate: Tue Jun 6 23:56:25 2023 +0200 man: Document weak checksum algorithms Add an attribute describing whether the fields are weak or strong, and a note explicitly explaining their secure verification status. --- man/deb-buildinfo.pod | 9 ++++++--- man/deb-changes.pod | 12 ++++++++++-- man/dsc.pod | 9 ++++++--- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/man/deb-buildinfo.pod b/man/deb-buildinfo.pod index 2f8ac43da..9f43952f7 100644 --- a/man/deb-buildinfo.pod +++ b/man/deb-buildinfo.pod @@ -127,11 +127,11 @@ single full stop (‘.’) and all lines are indented by one space character. The exact content depends on the changelog format. -=item B<Checksums-Md5:> (required) +=item B<Checksums-Md5:> (required, weak) -=item B<Checksums-Sha1:> (required) +=item B<Checksums-Sha1:> (required, weak) -=item B<Checksums-Sha256:> (required) +=item B<Checksums-Sha256:> (required, strong) =item S< >I<checksum> I<size> I<filename> @@ -141,6 +141,9 @@ These fields have the same syntax and differ only in the checksum algorithm used: MD5 for B<Checksums-Md5>, SHA-1 for B<Checksums-Sha1> and SHA-256 for B<Checksums-Sha256>. +B<Note>: The MD5 and SHA-1 checksums are considered weak, +and should never be assumed to be sufficient for secure verification. + The first line of the field value (the part on the same line as the field name followed by a colon) is always empty. The content of the field is expressed as continuation lines, one line per file. diff --git a/man/deb-changes.pod b/man/deb-changes.pod index 282d3396a..2813eba5e 100644 --- a/man/deb-changes.pod +++ b/man/deb-changes.pod @@ -181,9 +181,14 @@ This field lists all files that make up the upload. The list of files in this field must match the list of files in the other related B<Checksums> fields. -=item B<Checksums-Sha1:> (required) +B<Note>: The MD5 checksum is considered weak, +and should never be assumed to be sufficient for secure verification, +but this field cannot be omitted as it provides metadata not available +anywhere else. -=item B<Checksums-Sha256:> (required) +=item B<Checksums-Sha1:> (required, weak) + +=item B<Checksums-Sha256:> (required, strong) =item S< >I<checksum> I<size> I<filename> @@ -202,6 +207,9 @@ These fields list all files that make up the upload. The list of files in these fields must match the list of files in the B<Files> field and the other related B<Checksums> fields. +B<Note>: The SHA-1 checksum is considered weak, +and should never be assumed to be sufficient for secure verification. + =back =head1 BUGS diff --git a/man/dsc.pod b/man/dsc.pod index 9e6f91624..f82fdc966 100644 --- a/man/dsc.pod +++ b/man/dsc.pod @@ -248,11 +248,11 @@ B<Essential> field, that is a B<yes> value. =back -=item B<Files:> (required) +=item B<Files:> (required, weak) -=item B<Checksums-Sha1:> (required) +=item B<Checksums-Sha1:> (required, weak) -=item B<Checksums-Sha256:> (required) +=item B<Checksums-Sha256:> (required, strong) =item S< >I<checksum> I<size> I<filename> @@ -272,6 +272,9 @@ These fields list all files that make up the source package. The list of files in these fields must match the list of files in the other related fields. +B<Note>: The MD5 and SHA-1 checksums are considered weak, +and should never be assumed to be sufficient for secure verification. + =back =head1 BUGS -- Dpkg.Org's dpkg