On Thu, Mar 11, 2021 at 9:13 AM Neal Gompa <ngomp...@gmail.com> wrote:
> On Wed, Mar 10, 2021 at 10:20 PM Brian Bouterse <bmbou...@redhat.com> > wrote: > > > > Thanks Quirin for the questions. I put my understanding and > recommendations inline. Other devs please share your perspectives and > advice, especially if they differ from what is written here. More questions > and discussion are welcome. This is complicated stuff, but we want to be > here to help. > > > > On Wed, Mar 10, 2021 at 11:40 AM Quirin Pamp <p...@atix.de> wrote: > >> > >> To summarize: I am uncertain how best to proceed, but perhaps I am > overthinking this and simply respecting ALLOWED_CONTENT_CHECKSUMS and > letting users decide is best. > > > > The question I'll ask to help answer yours is: how much does pulp_deb > break with 3.11's defaults? This would be good to know. Want to run a few > tests and let us know? Maybe we can help give more info with that. > > > > Aside from that, my general advice is to expect that pulp_deb users will > change this setting, and to have the pulp_deb code work with the checksums > it has available and error when it cannot fulfill their request due to not > having the checksums it would need to do so. > > There is one difference between the RPM ecosystem and the Debian > ecosystem here. APT will absolutely choke on a repository if MD5 is > missing, even if it won't use it for "integrity". Various aspects of the > Debian > ecosystem still use MD5 because it's the only guaranteed algorithm. > > Two major points where it's still mandatory: > > * Debian Source Control files and repodata generated for "sources". > The dsc file (ex. rpm[1]) uses MD5 for *file list*, and that's *not* > optional. There *are* extra Checksums sections that you're supposed to > use for integrity verification, but they are technically optional, and > the only *guaranteed* algorithm is MD5, which is used for the Files > section. > > * Debian InRelease and other repodata index files. The InRelease file > (ex. Ubuntu 20.04[2]) *guarantees* MD5Sums (note capital "S") for the > file list, and while the current advice is that clients *must* also > request a SHA2 algorithm to verify the integrity of the files, the > first section using MD5 *must* be present or the repodata is invalid. > > The repository format wiki page[3] somewhat details this (though being > a wiki page, it's as inconsistent as any other wiki page, yay?). > Reading this section from the Wiki page you mention, I understand that everything but SHA256 is indeed optional in the Release file (and i assume the InRelease file too). *Servers shall provide the InRelease file, and might provide a Release files and its signed counterparts with at least the following keys: * - *Suite and/or Codename * - *Architectures * - *Components * - *Date * - *SHA256 * *Still having a unsigned Release file and MD5Sum is currently highly recommended. * > Probably the correct thing to do here is to make it possible to > propagate the correct error information up so that users can be > informed about missing algorithms and *why* so they can enable it. And > if any installer is going to do Pulp with Debian, they also can't ask > for weak algorithms to be disabled. > > [1]: > http://archive.ubuntu.com/ubuntu/pool/universe/r/rpm/rpm_4.14.2.1+dfsg1-1build2.dsc > [2]: http://archive.ubuntu.com/ubuntu/dists/focal/InRelease > [3]: https://wiki.debian.org/DebianRepository/Format > > > > -- > 真実はいつも一つ!/ Always, there's only one truth! > > > _______________________________________________ > Pulp-dev mailing list > Pulp-dev@redhat.com > https://listman.redhat.com/mailman/listinfo/pulp-dev >
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://listman.redhat.com/mailman/listinfo/pulp-dev