Guillem Jover wrote: > On Tue, 2016-03-15 at 15:32:40 -0700, Josh Triplett wrote: > > On Tue, Mar 15, 2016 at 11:15:16PM +0100, Joerg Jaspert wrote: > > > I've just activated a few changes to the archive we talk(ed) about for a > > > long time. And while it is not exactly the start of this release cycle, > > > it should still work out nicely (so one hopes). > > > > > > As of now, InRelease/Release files, Packages and Sources no longer > > > provide MD5Sum and SHA1sums, only SHA256. > > > > > > Additionally I turned off generating gzip compressed versions of those > > > files, xz is there. > > > > In addition to the security improvement, > > The only way this might possibly improve security is by perhaps flushing > out things that rely exclusively on weak hashes, once these start to fail.
That was what I meant, yes. > > a quick analysis on > > binary-amd64 shows that this will reduce the size of Packages for > > binary-amd64 from 39MB to 35MB (uncompressed), and the size of the > > xz-compressed version from 7.9MB to 5.9MB. Very nice! > > While the space reduction is nice… > > > That also helps reduce the impact and overhead of adding additional > > binary packages. > > …I get the feeling you seem to be fixated on the metadata as the only > problem with an explosion of additional binary packages (tiny or not). Not at all. I just said "helps reduce"; this is one of *many* changes that would need to happen. I'm happy to see any reduction in overhead. > As I've commented on before, metadata size is just a tiny part of the > overhead for a package introduced into the system: > > <https://lists.debian.org/debian-devel/2015/09/msg00141.html> This is something I'm quite familiar with as well; I've reviewed many of the various sources of overhead previously: https://lists.debian.org/debian-devel/2015/11/msg00008.html .