[Bug 1191993] [NEW] net-retriever relies on MD5SUMs, should use SHA256

[Alec Warner]

Public bug reported:

I was trying to get d-i to use my new shiny (not yet released) mirror
setup. During testing, I noticed that net-retriever was failing to parse
my Release files because my MD5Sum: lines were "MD5Sum: $" and not the
expected "MD5Sum:$".

I fixed the bug in my Release file generator and moved on. However, net-
retriever should probably be switched to rely on stronger checksums that
are less prone to collisions than MD5Sum.

Then I downloaded lp:ubuntu/net-retriever and verified that it was still
vulnerable.

I am using net-retriever from Precise (1.29ubuntu1).

I don't think we care too much if it is fixed in Precise, but it should
be fixed before T.

-A

** Affects: net-retriever (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to net-retriever in Ubuntu.
https://bugs.launchpad.net/bugs/1191993

Title:
  net-retriever relies on MD5SUMs, should use SHA256

Status in “net-retriever” package in Ubuntu:
  New

Bug description:
  I was trying to get d-i to use my new shiny (not yet released) mirror
  setup. During testing, I noticed that net-retriever was failing to
  parse my Release files because my MD5Sum: lines were "MD5Sum: $" and
  not the expected "MD5Sum:$".

  I fixed the bug in my Release file generator and moved on. However,
  net-retriever should probably be switched to rely on stronger
  checksums that are less prone to collisions than MD5Sum.

  Then I downloaded lp:ubuntu/net-retriever and verified that it was
  still vulnerable.

  I am using net-retriever from Precise (1.29ubuntu1).

  I don't think we care too much if it is fixed in Precise, but it
  should be fixed before T.

  -A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/net-retriever/+bug/1191993/+subscriptions