[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian derivatives census: timeline for dropping SHA-1 support from apt

Paul Wise:
> Hi all,
> 
> The Debian apt maintainers plan to drop SHA-1 support from apt:
> 
> https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/
> 
> If you are in the To header on this mail then it means your derivative
> relies on the security of MD5/SHA1 in some capacity. To find out where,
> you can look at the check-package-list file for your distribution and
> look at the Hash: fields at the top of your InRelease or Release.gpg
> files. Please update your derivatives to add SHA-2 hashes in your apt
> metadata and in your OpenPGP signatures of that apt metadata.
> 
> http://deriv.debian.net/Ubuntu/check-package-list
> 

https://whonix.org/download/whonixdevelopermetafiles/internal/dists/jessie/Release

is using MD5, SHA-1 and SHA-256.

Why is it a problem to keep MD5 and SHA-1 as long as SHA-256 is provided?

The repository is created using reprepro. Does reprepro even support
dropping MD5 and SHA-1?

Cheers,
Patrick
Reply to: