Re: [ptxdist] Replace MD5 with SHA256 hashes all at once

[Bruno Thomsen <bth@kamstrup.com>]

Hi Michael,

> Enable all Packages (and ALLYES) in a BSP and then run 'ptxdist get' to download them all.
> And the first step must be to support checking md5 or sha256, whichever is available. We still need md5 so we don't break BSPs with local packages during the transition.
>
> > Sounds like a good idea, but then I would prefer that 2-3 ppl run the 
> > script, just to make sure different proxies are used.
>
> While this is a nice idea, this only works for the existing packages. I can't do the same for new packages or new versions of existing packages.

I don't expect we do this for new packages, only on exiting due to the sheer number of packages.

> So far the checksum has only been a protection against broken archives or stupid upstream. It is not a security feature. If we change that, then we need a way to verify, that the initial checksums are correct. I don't know how I can do that for new packages.

Ideally all upstream packages should include a SHA256 hash when they are releasing new versions.
Unfortunate we can't change the whole world in day :)
So continue with the current way of manual download and hash, but also include audit information about download URL (in case of mirrors) and date of download.

Suggested actions:
1) include SHA256 hash in rules
2) include audit info in commit message (hash source + date)
3) push upstream packages to include SHA256
4) prefer HTTPS/FTPS as source URL in rules


/Bruno

-- 
ptxdist mailing list
ptxdist@pengutronix.de