This page tracks the progress in supporting debian/sha256sums in debian packages.
Rational
- MD5SUMS is considered weak nowadays
- The checksum has proven to be useful in the past (both for checking the integrity of installed files, to reduce the amount of data to backup, and for security reasons)
- Some users still want to rely on the checksum provided in the archive to validate the authenticity of files.
The SHA256 algorithm is used:
- FTP master already provides SHA1 and SHA256
- SHA-1 is supposed to have some flaws, that SHA2 don't have (yet;).
- Shipping both SHA1 and SHA256 would consume more space with little benefits.
Todo List
Policy
Before the release:
- add "can provide sha256sums"
After the release:
- Replace "should provide md5sums" with "can provide md5sums" and "should provide sha256sums"
Lintian
Same as policy... Before the release:
573088 - Allow and recommend sha256sums control file
After the release:
- Warn if debian/rules still use dh_md5sum
warn if grep "md5sum .*>.*md5sum" debian/rules
- warn if binary package don't contain debian/sha256sums
Build systems
debhelper
540215 - Introduce dh_checksums
cdbs
- Nothing to do during the transition period.
- Once dh_checksums is merged in debhelper, submit a patch to deprecate DEB_DH_CHECKSUMS_ARGS in favor of DEB_DH_MD5SUMS_ARGS.
- Once dh_checksums is common enough (and/or cdbs can depend on appropriate debhelper, replace the command dh_md5sums with dh_checksums in debhelper.mk.
checksum validation
debsums
TODO
Issues: prelink only has built-in MD5 or SHA1
dpkg
TODO
sha256sums file is saved in /var/lib/dpkg/info/
offline checking
- Write a tool to validate the checksums offline (i.e when the root partition is mounted as a slave)
Making checksum compulsory
Lintian has a test no-md5sums-control-file :
This package does not contain an md5sums control file. This control file listing the MD5 checksums of the contents of the package is not required, but if present debsums can use it to verify that no files shipped with your package have been modified. Providing it is recommended. If you are using debhelper to create your package, just add a call to dh_md5sums at the end of your binary-indep or binary-arch target, right before dh_builddeb.
See stats: http://lintian.debian.org/tags/no-md5sums-control-file.html
See 572571 packages SHOULD ship checksums (a-la dh_md5sums, but better)
FAQ
Lintian reports W: foobar: unknown-control-file sha256sums
- Lintian does not support SHA256 at this time. Make sure us use a version of Lintian with the patch above.
TODO
As I reviewed perl's shasum, I wondered whether we should force SHA256, or accept/autodetect the SHA algorithm, based on the hash length. they use:
/usr/share/cdbs/1/rules/debhelper.mk: dh_md5sums -p$(cdbs_curpkg) $(DEB_DH_MD5SUMS_ARGS)