missing strong hashes in some suites of the caffeine-developers PPA
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Low
|
Unassigned |
Bug Description
The Sources files for these deb-src lines from the caffeine-developers
PPA are missing SHA1 and SHA256 checksums for the .dsc file:
deb-src http://
deb-src http://
deb-src http://
deb-src http://
deb-src http://
deb-src http://
deb-src http://
deb-src http://
Here is an example of the problem from raring:
Files:
ced7210fab7ab4
a23882611203d1
Checksums-Sha1: 299e4f4a7a5ec3b
Checksums-Sha256: 1f17b657cecb66a
MD5 is an extremely weak hash and should not be relied on.
I do not know how widespread this issue is, please investigate.
Also, aren't the above suites obsolete?
Shouldn't they be removed from all PPAs?
affects launchpad
subscribe ubuntu-archive
--
bye,
pabs
This was basically bug 1190879. Individual archive/suite pairs that were last published before that fix landed will vary depending on the exact way the upload happened, but everything after that should consistently have the stronger hashes. Unfortunately with the current architecture republishing all old PPAs would be extremely expensive - it would be much worse than https:/ /www.chiark. greenend. org.uk/ ~cjwatson/ blog/re- signing- ppas.html, which was just about re-signing Release files.
We haven't historically removed old suites from PPAs, essentially because PPAs are user-managed and it's up to them to clean up. It's conceivable that we might change that policy at some point, but it would be a substantial change requiring announcement and discussion.
Please don't subscribe ~ubuntu-archive to bug reports about PPAs; it is not their area. I've unsubscribed them.