Re: Debian derivatives census: timeline for dropping SHA-1 support from apt
On 15/03/16 11:42, Paul Wise wrote:
Hi all,
The Debian apt maintainers plan to drop SHA-1 support from apt:
https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/
If you are in the To header on this mail then it means your derivative
relies on the security of MD5/SHA1 in some capacity. To find out where,
you can look at the check-package-list file for your distribution and
look at the Hash: fields at the top of your InRelease or Release.gpg
files.
My name was in the to list yet I see no mention of sha1 in
http://deriv.debian.net/Raspbian/check-package-list and when I look at
release.gpg I don't see any "Hash:" I just see
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAABAgAGBQJW6IlWAAoJEJFlk42Q/d0uGnwIAK1fPmrau53Hv0YUCFp4Izpd
s5Q4bpuNgvnb4LLSDgFnWRggsmRAeiK4f84UkFZIsj72g6EpG0caFuXgnt7lfy4w
CrISgd23UeMrxIiCSH/PJRosBajUjzPdJ8vU0gGHmVRYUTiTMw5d+4Fze/QkAtp7
8rHYGBTMUm31suOVvcKuNWXrk6oeTaqwnoYNtSAX4Sc7zFOsNvHWVUpWO2OEsgvW
BY8bdUAR7z6jWGWAD0zGT/Y8d35UK2DTeAONsBqEt2MeGzCBuNOidwotnr1N0kx8
ULQi4IjoMsY+HiRaxHqLKk5rlryRkoyGCeKSHWT+O4aFYuWhIVRWqiivxSmrfVM=
=8mY2
-----END PGP SIGNATURE----
Please update your derivatives to add SHA-2 hashes in your apt
metadata and in your OpenPGP signatures of that apt metadata.
http://deriv.debian.net/Ubuntu/check-package-list
Reply to: