Launchpad itself

missing strong hashes in some suites of the caffeine-developers PPA

Bug #1716550 reported by Paul Wise (Debian)
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
Low
Unassigned

Bug Description

The Sources files for these deb-src lines from the caffeine-developers
PPA are missing SHA1 and SHA256 checksums for the .dsc file:

deb-src http://ppa.launchpad.net/caffeine-developers/ppa/ubuntu raring main
deb-src http://ppa.launchpad.net/caffeine-developers/ppa/ubuntu oneiric main
deb-src http://ppa.launchpad.net/caffeine-developers/ppa/ubuntu karmic main
deb-src http://ppa.launchpad.net/caffeine-developers/ppa/ubuntu lucid main
deb-src http://ppa.launchpad.net/caffeine-developers/ppa/ubuntu precise main
deb-src http://ppa.launchpad.net/caffeine-developers/ppa/ubuntu natty main
deb-src http://ppa.launchpad.net/caffeine-developers/ppa/ubuntu maverick main
deb-src http://ppa.launchpad.net/caffeine-developers/ppa/ubuntu quantal main

Here is an example of the problem from raring:

Files:
 ced7210fab7ab46247f96e2cee8580f7 161718 caffeine_2.4.1+478~raring1.tar.gz
 a23882611203d1bbbdf8334f96a29469 657 caffeine_2.4.1+478~raring1.dsc
Checksums-Sha1: 299e4f4a7a5ec3bc660be1008114b3f7551e0fe6 161718 caffeine_2.4.1+478~raring1.tar.gz
Checksums-Sha256: 1f17b657cecb66ab2ba397daa12b934760bbc9492cbf3a7d4a7b8a97bde12c1c 161718 caffeine_2.4.1+478~raring1.tar.gz

MD5 is an extremely weak hash and should not be relied on.

I do not know how widespread this issue is, please investigate.

Also, aren't the above suites obsolete?
Shouldn't they be removed from all PPAs?

 affects launchpad
 subscribe ubuntu-archive

--
bye,
pabs

https://wiki.debian.org/PaulWise

Revision history for this message
Colin Watson (cjwatson) wrote :

This was basically bug 1190879. Individual archive/suite pairs that were last published before that fix landed will vary depending on the exact way the upload happened, but everything after that should consistently have the stronger hashes. Unfortunately with the current architecture republishing all old PPAs would be extremely expensive - it would be much worse than https://www.chiark.greenend.org.uk/~cjwatson/blog/re-signing-ppas.html, which was just about re-signing Release files.

We haven't historically removed old suites from PPAs, essentially because PPAs are user-managed and it's up to them to clean up. It's conceivable that we might change that policy at some point, but it would be a substantial change requiring announcement and discussion.

Please don't subscribe ~ubuntu-archive to bug reports about PPAs; it is not their area. I've unsubscribed them.

Changed in launchpad:
status: New → Triaged
importance: Undecided → Low
tags: added: lp-soyuz soyuz-publish
Revision history for this message
Colin Watson (cjwatson) wrote :

(I've triaged this as Low not because I don't think strong hashes are important - I do - but because it only affects suites last published over four years ago, and because the cleanup work for those would be very arduous and difficult to prioritise over other things.)

tags: added: ppa
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.