Re: dpkg-sig support wanted?

[Florian Weimer <fw@deneb.enyo.de>]

* Anthony Towns:

> (I'm amazed the security "crisis" we're having is about deb sigs
> *again*, when we're still relying on md5sum which has a public exploit
> available now...)

These exploits are irrelevant as far as the Debian archive is
concerned.  (And that's not because hardly any sarge user verifies the
MD5 hashes, by the way. 8-)

Moving away from MD5 is certainly not a bad idea, but it's not clear
whether the alternatives are any better.  Sure, everyone recommends
SHA-256 at this stage, but nobody can give a rationale.