[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#856211: anna: please implement SHA256 verification of .udeb files

Steven Chamberlain <steven@pyro.eu.org> (2017-02-26):
> To date, anna still only implements MD5 verification of .udeb files,
> despite its formal deprecation as a digital signature algorithm by
> RFC6151 (2011) and recommendations of academic literature years prior.
> The files are typically downloaded via insecure HTTP transport, so the
> checksum verification is critical for the security of the installed
> system.  stretch is expected to be a supported release until 2022.  So
> I'm tentatively filing this bug as RC-severity.
> Further context and an overview of related bugs will be published at:
> https://wiki.debian.org/InstallerDebacle

AFAICT net-retriever does the fetching and checking work?


Attachment: signature.asc
Description: Digital signature

Reply to: