This page tracks the progress in supporting debian/sha256sums in debian packages.

Rational

The SHA256 algorithm is used:

  1. FTP master already provides SHA1 and SHA256
  2. SHA-1 is supposed to have some flaws, that SHA2 don't have (yet;).
  3. Shipping both SHA1 and SHA256 would consume more space with little benefits.

Todo List

Policy

Before the release:

After the release:

Lintian

Same as policy... Before the release:

After the release:

Build systems

debhelper

cdbs

checksum validation

debsums

Issues: prelink only has built-in MD5 or SHA1

dpkg

TODO

offline checking

Making checksum compulsory

Lintian has a test no-md5sums-control-file :

This package does not contain an md5sums control file. This control file listing the MD5 checksums of the contents of the package is not required, but if present debsums can use it to verify that no files shipped with your package have been modified. Providing it is recommended.

If you are using debhelper to create your package, just add a call to dh_md5sums at the end of your binary-indep or binary-arch target, right before dh_builddeb. 

FAQ

Lintian reports W: foobar: unknown-control-file sha256sums

TODO

As I reviewed perl's shasum, I wondered whether we should force SHA256, or accept/autodetect the SHA algorithm, based on the hash length. they use: