Hi, i wrote: > > jigdo-lite could now make automatic use of the *SUMS via the according > > *sum programs.
Steve McIntyre wrote: > That's a change I don't really want to make - the *SUMS we have are > specific to the Debian layout, and AFAIK we're not the only people > using jigdo. It would immediately create security. Probably more than manual ISO downloading, because people tend to omit verifying. The automatic verifying could be omitted if not gpg and sha512sums are installed and if not SHA512SUMS and SHA512SUMS.sign is found in the .jigdo file's parent directory. But if all this stuff is available, why not use it ? Not to forget, the current version of jigdo-lite can download the .jigdo file and currently does not verify it at all. At least this part should be covered by gpg under control of jigdo-lite. And then why not give .template the same verification treatment as .jigdo ? Of course Debian package jigdo-file should then depend on gpg and sha512sum. > > Or jigdo-lite could expect better .template checksums in the .jigdo file > > and jigdo-file could learn to compute such sums. > > libjte can, so jigdo-file could learn from there. > That makes much more sense, yes. As/when/if I find the time, I'll > fight with the C++ in jigdo-file to look for better checksums. As said, this cannot verify the .jigdo file (unless it gets signed non-detached by gpg). Elsewise: The SHA-512 stuff could be taken from libjte. The .jigdo file already has SHA-512 for the ISO image: # Image Hex SHA512Sum 27e41f13ce0f71e0fc503da41f3afa87285e0fc2e8ffb8d7ff4f572e26451dafd1a6f220c9256731d451400893437b0dfc17534c441f2a29a81130c59f790a50 but not for .template. jigdo-lite would have to hand the SHA-512 of .template to jigdo-file, instead of the MD5 as is done currently. jigdo-file would need a verification command that mimics sha512sum. libjte seems prepared for more .template checksums. Only MD5 is enabled by default. Compare checksum_algo_iso and checksum_algo_tmpl at https://sources.debian.org/src/jigit/1.20-2/libjte/libjte.c/#L100 xorriso calls libjte_set_checksum_template() with the argument of xorrisofs option -checksum_algorithm_template. In debian-9.3.0-i386-netinst.iso/.disk/mkisofs there is -checksum_algorithm_iso md5,sha1,sha256,sha512 but no -checksum_algorithm_template. So, to my untested theory, it should suffice to use in debian-cd -checksum_algorithm_template md5,sha1,sha256,sha512 In live-wrapper it would be -jigdo checksum_template md5,sha1,sha256,sha512 (but debian-live-9.3.0-amd64-xfce.iso/.disk/mkisofs shows no -jigdo commands.) I am a bit brain damaged today and maybe in the next days. When i am in better shape i will modify xorriso's Jigdo production regression test to see whether the production part is really that easy. Have a nice day :) Thomas
