From: Christopher Baines <mail@cbaines.net>
To: Leo Famulari <leo@famulari.name>
Cc: 32303@debbugs.gnu.org
Subject: [bug#32303] [PATCH] gnu: Patch duplicity with --ignore-mdc-error.
Date: Sun, 19 Aug 2018 20:46:43 +0100 [thread overview]
Message-ID: <87ftzakul8.fsf@cbaines.net> (raw)
In-Reply-To: <20180807165649.GA917@jasmine.lan>
[-- Attachment #1: Type: text/plain, Size: 1859 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Sun, Jul 29, 2018 at 04:41:52PM +0100, Christopher Baines wrote:
>> Modify the package to patch gnu.py with an unreleased upstream change to fix
>> duplicity working with recent releases of GnuPG. This change make the package
>> build again.
>>
>> + gnupg.options.extra_args.append('--ignore-mdc-error')"))
>
> Thanks for taking care of this package.
>
> I'm concerned about the impact of this change, and Duplicity in general.
>
> By ignoring the result of the MDC (modification detection code) check, I
> *think* Duplicity loses the ability to authenticate its archives. If so,
> the Duplicity package description should be changed to reflect this. I
> would at least remove the text about safety against modification.
>
> Also and FYI, Duplicity uses the MD4 message digest truncated to 64 bits
> (via librsync) to identify chunks for deduplication. [0] MD4 collisions
> are trivial to generate.
Hmm, this does look like more of an issue that I anticipated. I was
thinking that this was maybe to do with the tests alone, but checking
the upstream change again, it looks like it effects general operation.
> It's not totally reasonable to remove packages like backup programs
> since, in the future, people will want to read the archives they have
> created. But perhaps we should steer users away from Duplicity in the
> package description.
Yeah, removing the statement about "modification" in the description
sounds like a good step. I don't know enough to add something more
informative to the description though.
One extra thing to note is that I use duplicity (well, not much) through
Deja Dup, so if there is issues with duplicity to describe in the
package description, it might be good to add something similar to the
few packages that use duplicity.
Thanks for looking in to this Leo :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 962 bytes --]
next prev parent reply other threads:[~2018-08-19 19:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-29 15:41 [bug#32303] [PATCH] gnu: Patch duplicity with --ignore-mdc-error Christopher Baines
2018-08-04 7:49 ` bug#32303: " Christopher Baines
2018-08-07 16:56 ` [bug#32303] " Leo Famulari
2018-08-19 19:46 ` Christopher Baines [this message]
2018-08-22 21:05 ` Leo Famulari
2018-09-06 17:26 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ftzakul8.fsf@cbaines.net \
--to=mail@cbaines.net \
--cc=32303@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).