GNU bug report logs -
#32303
[PATCH] gnu: Patch duplicity with --ignore-mdc-error.
Previous Next
Reported by: Christopher Baines <mail <at> cbaines.net>
Date: Sun, 29 Jul 2018 15:43:01 UTC
Severity: normal
Tags: patch
Done: Christopher Baines <mail <at> cbaines.net>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
On Sun, Jul 29, 2018 at 04:41:52PM +0100, Christopher Baines wrote:
> Modify the package to patch gnu.py with an unreleased upstream change to fix
> duplicity working with recent releases of GnuPG. This change make the package
> build again.
>
> + gnupg.options.extra_args.append('--ignore-mdc-error')"))
Thanks for taking care of this package.
I'm concerned about the impact of this change, and Duplicity in general.
By ignoring the result of the MDC (modification detection code) check, I
*think* Duplicity loses the ability to authenticate its archives. If so,
the Duplicity package description should be changed to reflect this. I
would at least remove the text about safety against modification.
Also and FYI, Duplicity uses the MD4 message digest truncated to 64 bits
(via librsync) to identify chunks for deduplication. [0] MD4 collisions
are trivial to generate.
It's not totally reasonable to remove packages like backup programs
since, in the future, people will want to read the archives they have
created. But perhaps we should steer users away from Duplicity in the
package description.
[0] See:
<https://bugs.launchpad.net/duplicity/+bug/1342721>
... also briefly discussed in our bug tracker:
<https://bugs.gnu.org/30448>
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 262 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.