Bug#848279: marked as done (deprecate InRelease in favor of Release.gpg)

To: Julian Andres Klode <jak@debian.org>
Subject: Bug#848279: marked as done (deprecate InRelease in favor of Release.gpg)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 15 Dec 2016 22:36:05 +0000
Message-id: <[🔎] handler.848279.D848279.148184119222980.ackdone@bugs.debian.org>
References: <20161215232925.GA28431@debian.org> <[🔎] daecd148-5001-8099-2d1f-5e3b2c65435f@riseup.net>

Your message dated Thu, 15 Dec 2016 23:33:02 +0100
with message-id <20161215232925.GA28431@debian.org>
and subject line Re: Bug#848279: deprecate InRelease in favor of Release.gpg
has caused the Debian Bug report #848279,
regarding deprecate InRelease in favor of Release.gpg
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
848279: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848279
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org

Subject: deprecate InRelease in favor of Release.gpg

From: Patrick Schleizer <adrelanos@riseup.net>

Date: Thu, 15 Dec 2016 22:16:00 +0000

Message-id: <[🔎] daecd148-5001-8099-2d1f-5e3b2c65435f@riseup.net>
Package: apt
Severity: wishlist
X-Debbugs-CC: whonix-devel@whonix.org

In light of CVE-2016-1252...

When there is Release.gpg implemented in apt, why not deprecate InRelease?
--- End Message ---

--- Begin Message ---

To: Patrick Schleizer <adrelanos@riseup.net>, 848279-done@bugs.debian.org

Subject: Re: Bug#848279: deprecate InRelease in favor of Release.gpg

From: Julian Andres Klode <jak@debian.org>

Date: Thu, 15 Dec 2016 23:33:02 +0100

Message-id: <20161215232925.GA28431@debian.org>

In-reply-to: <[🔎] daecd148-5001-8099-2d1f-5e3b2c65435f@riseup.net>

References: <[🔎] daecd148-5001-8099-2d1f-5e3b2c65435f@riseup.net>
On Thu, Dec 15, 2016 at 10:16:00PM +0000, Patrick Schleizer wrote:
> Package: apt
> Severity: wishlist
> X-Debbugs-CC: whonix-devel@whonix.org
> 
> In light of CVE-2016-1252...
> 
> When there is Release.gpg implemented in apt, why not deprecate InRelease?

You got that wrong. We deprecated Release.gpg in preference
of InRelease: Unfortunately, Release.gpg breaks atomic updates
of repositories (because Release and Release.gpg need to be updated
at the same time) and thus breaks update runs randomly with hash
sum mismatches.

So, there's really nothing we can do here.

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.
--- End Message ---

Reply to:

References:
- Bug#848279: deprecate InRelease in favor of Release.gpg
  - From: Patrick Schleizer <adrelanos@riseup.net>

Prev by Date: Bug#848279: deprecate InRelease in favor of Release.gpg
Next by Date: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Previous by thread: Bug#848279: deprecate InRelease in favor of Release.gpg
Next by thread: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Index(es):
- Date
- Thread