Steven Chamberlain <steven@pyro.eu.org> (2017-02-26): > To date, anna still only implements MD5 verification of .udeb files, > despite its formal deprecation as a digital signature algorithm by > RFC6151 (2011) and recommendations of academic literature years prior. > > The files are typically downloaded via insecure HTTP transport, so the > checksum verification is critical for the security of the installed > system. stretch is expected to be a supported release until 2022. So > I'm tentatively filing this bug as RC-severity. > > Further context and an overview of related bugs will be published at: > https://wiki.debian.org/InstallerDebacle AFAICT net-retriever does the fetching and checking work? KiBi.
Attachment:
signature.asc
Description: Digital signature