On Thu, Mar 11, 2021 at 3:31 AM Matthias Dellweg <mdell...@redhat.com> wrote: > > > > On Thu, Mar 11, 2021 at 9:13 AM Neal Gompa <ngomp...@gmail.com> wrote: >> >> On Wed, Mar 10, 2021 at 10:20 PM Brian Bouterse <bmbou...@redhat.com> wrote: >> > >> > Thanks Quirin for the questions. I put my understanding and >> > recommendations inline. Other devs please share your perspectives and >> > advice, especially if they differ from what is written here. More >> > questions and discussion are welcome. This is complicated stuff, but we >> > want to be here to help. >> > >> > On Wed, Mar 10, 2021 at 11:40 AM Quirin Pamp <p...@atix.de> wrote: >> >> >> >> To summarize: I am uncertain how best to proceed, but perhaps I am >> >> overthinking this and simply respecting ALLOWED_CONTENT_CHECKSUMS and >> >> letting users decide is best. >> > >> > The question I'll ask to help answer yours is: how much does pulp_deb >> > break with 3.11's defaults? This would be good to know. Want to run a few >> > tests and let us know? Maybe we can help give more info with that. >> > >> > Aside from that, my general advice is to expect that pulp_deb users will >> > change this setting, and to have the pulp_deb code work with the checksums >> > it has available and error when it cannot fulfill their request due to not >> > having the checksums it would need to do so. >> >> There is one difference between the RPM ecosystem and the Debian >> ecosystem here. APT will absolutely choke on a repository if MD5 is >> missing, even if it won't use it for "integrity". Various aspects of the >> Debian >> ecosystem still use MD5 because it's the only guaranteed algorithm. >> >> Two major points where it's still mandatory: >> >> * Debian Source Control files and repodata generated for "sources". >> The dsc file (ex. rpm[1]) uses MD5 for *file list*, and that's *not* >> optional. There *are* extra Checksums sections that you're supposed to >> use for integrity verification, but they are technically optional, and >> the only *guaranteed* algorithm is MD5, which is used for the Files >> section. >> >> * Debian InRelease and other repodata index files. The InRelease file >> (ex. Ubuntu 20.04[2]) *guarantees* MD5Sums (note capital "S") for the >> file list, and while the current advice is that clients *must* also >> request a SHA2 algorithm to verify the integrity of the files, the >> first section using MD5 *must* be present or the repodata is invalid. >> >> The repository format wiki page[3] somewhat details this (though being >> a wiki page, it's as inconsistent as any other wiki page, yay?). > > > Reading this section from the Wiki page you mention, I understand that > everything but SHA256 is indeed optional in the Release file (and i assume > the InRelease file too). > > Servers shall provide the InRelease file, and might provide a Release files > and its signed counterparts with at least the following keys: > > Suite and/or Codename > Architectures > Components > Date > SHA256 > > Still having a unsigned Release file and MD5Sum is currently highly > recommended.
Unsigned Release is probably the only truly optional part (and that's needed for pre-2016 APT versions), but in practice, I haven't been able to leave out MD5Sum from APT repository metadata without breaking clients. Admittedly, I haven't tried recently (as in not in the last couple of years, the last time I tried was in the Ubuntu 17.04 timeframe). -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://listman.redhat.com/mailman/listinfo/pulp-dev
