[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#32303] [PATCH] gnu: Patch duplicity with --ignore-mdc-error.

From: Leo Famulari
Subject: [bug#32303] [PATCH] gnu: Patch duplicity with --ignore-mdc-error.
Date: Tue, 7 Aug 2018 12:56:49 -0400
User-agent: Mutt/1.10.1 (2018-07-13)

On Sun, Jul 29, 2018 at 04:41:52PM +0100, Christopher Baines wrote:
> Modify the package to patch with an unreleased upstream change to fix
> duplicity working with recent releases of GnuPG. This change make the package
> build again.
> +        gnupg.options.extra_args.append('--ignore-mdc-error')"))

Thanks for taking care of this package.

I'm concerned about the impact of this change, and Duplicity in general.

By ignoring the result of the MDC (modification detection code) check, I
*think* Duplicity loses the ability to authenticate its archives. If so,
the Duplicity package description should be changed to reflect this. I
would at least remove the text about safety against modification.

Also and FYI, Duplicity uses the MD4 message digest truncated to 64 bits
(via librsync) to identify chunks for deduplication. [0] MD4 collisions
are trivial to generate.

It's not totally reasonable to remove packages like backup programs
since, in the future, people will want to read the archives they have
created. But perhaps we should steer users away from Duplicity in the
package description.

[0] See:
... also briefly discussed in our bug tracker:

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]