From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41418) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fn5IA-0000xt-PO for guix-patches@gnu.org; Tue, 07 Aug 2018 12:57:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fn5I7-0008Fj-DI for guix-patches@gnu.org; Tue, 07 Aug 2018 12:57:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:38847) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fn5I6-0008FC-W3 for guix-patches@gnu.org; Tue, 07 Aug 2018 12:57:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fn5I6-0001oP-Kz for guix-patches@gnu.org; Tue, 07 Aug 2018 12:57:02 -0400 Subject: [bug#32303] [PATCH] gnu: Patch duplicity with --ignore-mdc-error. Resent-Message-ID: Date: Tue, 7 Aug 2018 12:56:49 -0400 From: Leo Famulari Message-ID: <20180807165649.GA917@jasmine.lan> References: <20180729154152.11296-1-mail@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline In-Reply-To: <20180729154152.11296-1-mail@cbaines.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Christopher Baines Cc: 32303@debbugs.gnu.org --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 29, 2018 at 04:41:52PM +0100, Christopher Baines wrote: > Modify the package to patch gnu.py with an unreleased upstream change to = fix > duplicity working with recent releases of GnuPG. This change make the pac= kage > build again. >=20 > + gnupg.options.extra_args.append('--ignore-mdc-error')")) Thanks for taking care of this package. I'm concerned about the impact of this change, and Duplicity in general. By ignoring the result of the MDC (modification detection code) check, I *think* Duplicity loses the ability to authenticate its archives. If so, the Duplicity package description should be changed to reflect this. I would at least remove the text about safety against modification. Also and FYI, Duplicity uses the MD4 message digest truncated to 64 bits (via librsync) to identify chunks for deduplication. [0] MD4 collisions are trivial to generate. It's not totally reasonable to remove packages like backup programs since, in the future, people will want to read the archives they have created. But perhaps we should steer users away from Duplicity in the package description. [0] See: =2E.. also briefly discussed in our bug tracker: --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAltpz04ACgkQJkb6MLrK fwijERAAufXPJJ5QZyYc9/ZKrux9pqAJOIbSc9UhT/59Hkragw637LpmzAP4lUMX +LvinlJLSHCqVZfo8MIP2VA6uDwtdZSPIHVYUf7WIKx5DsA/KWrFFnD8CT9otxP3 PWPtxN750BIx6lsJSt27115vcDDDFzIV/9RNrF3D2FNBdFxTfPqPAfIo/6J7uA7Y IIBb2CNzVJFsY8sYmMD85h5aTYnt7IGmMqS7Ysm2TDqheM0ykMrbJxDYpQKJMWvp IQ/m5aPDGm6ttA3VtzUFPf1Su5f/zKH7e5Av3FGDS8RepcP54KTr4bm70ogN6+cD MHGWlgjYuJFGKfb/gFKfqgnvQ42B5s/Whz0SaVJiqnxIdQBWEFUGB2+Xd/Nf13Pa d1P0oZytMyvvTvcbef1N6Ut7DhRY6hVDEW7+9W/qmeotpbn8ifu1RCNz2QwelIc4 ebK8ZNuCYc+n9+x57E82qhvsTW5KrzrQ7OdyFXt+wg2q8p9ScIf9iqD/5cfMWv5B rdTFgXr7krbWTiGkQOuLzbIadU31GojR6zxigs5kaYJCTRJA9fkwOUlxS9Ptnf2E B3MrVV1HPzkiD+j8yfEUzhPwmBQVQbCh5w5wFVVNfzrMWS4fedSgBphFroF6tEo9 15A+J1NxKQ3h/in9faebeUFQfqQ3k79voPoQuHOkT0QE1gJVeFk= =yMwP -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6--