Re: Signature strength of .dsc

To: debian-devel@lists.debian.org
Subject: Re: Signature strength of .dsc
From: Dimitri John Ledkov <xnox@debian.org>
Date: Wed, 6 Dec 2023 22:02:24 +0000
Message-id: <[🔎] CANBHLUgzMwKoVvV7fHyD3wV_Xqb5BRZsL2_WnjU54nGDfZ4voQ@mail.gmail.com>
In-reply-to: <[🔎] CANBHLUhv9rQJuBUoxJckkCwd6afpOLOc+5G8+6HfTxjb4jg2ag@mail.gmail.com>
References: <[🔎] CANBHLUhv9rQJuBUoxJckkCwd6afpOLOc+5G8+6HfTxjb4jg2ag@mail.gmail.com>

On Fri, 1 Dec 2023 at 00:20, Dimitri John Ledkov <xnox@debian.org> wrote:
>
> Hi,
>
> Currently dak requires signatures on .changes & .dsc uploads. .changes with signatures are publicly announced and then .dsc are published in the archive with signatures. .changes references .dsc.
>
> All .dsc have Checksums-Sha256 for the files they reference, .dsc itself can be verified through strong checksum in Sources metadata, chained via InRelease to the strong debian archive key signature.
>
> The same is not true for signatures on .dsc themselves. Majority of .dsc use at least sha256 and can be successfully verified.
>
> But some use weak hash:
> 5 dsc signed using Hash: RIPEMD160
> 152 dsc signed using Hash: SHA1
>

May I file a bug report to lintian to consider such a pedantic check
(when it can) to warn about using such legacy algo functions?

May I also do a mass bug file against the above set of packages, at
wishlist priority to nudge maintainers (or QA or Janitor) to make an
upload?
ideally bundled with any other reasonable modernisations. As such an
algorithm indicates that the package is likely to be either very
stable or in potential need of a bit of TLC ?

-- 
Regards,

Dimitri.

Reply to:

Follow-Ups:
- Re: Signature strength of .dsc
  - From: Andreas Metzler <ametzler@bebt.de>

References:
- Signature strength of .dsc
  - From: Dimitri John Ledkov <xnox@debian.org>

Prev by Date: Re: Preparing for Python 3.12
Next by Date: Re: Migration blocked
Previous by thread: Re: Signature strength of .dsc
Next by thread: Re: Signature strength of .dsc
Index(es):
- Date
- Thread