[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian derivatives census: timeline for dropping SHA-1 support from apt

2016-03-15 14:21 GMT+01:00 Patrick Schleizer <adrelanos@riseup.net>:
> Paul Wise:
>> Hi all,
>> The Debian apt maintainers plan to drop SHA-1 support from apt:
>> https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/
>> If you are in the To header on this mail then it means your derivative
>> relies on the security of MD5/SHA1 in some capacity. To find out where,
>> you can look at the check-package-list file for your distribution and
>> look at the Hash: fields at the top of your InRelease or Release.gpg
>> files. Please update your derivatives to add SHA-2 hashes in your apt
>> metadata and in your OpenPGP signatures of that apt metadata.
>> http://deriv.debian.net/Ubuntu/check-package-list
> https://whonix.org/download/whonixdevelopermetafiles/internal/dists/jessie/Release
> is using MD5, SHA-1 and SHA-256.
> Why is it a problem to keep MD5 and SHA-1 as long as SHA-256 is provided?
> The repository is created using reprepro. Does reprepro even support
> dropping MD5 and SHA-1?

Same for Tanglu - our repositories are build using dak and I am even
running APT Git master there, which works flawlessly.
Is this maybe an issue in the test script?
(We also provide MD5, SHA-1 and SHA-256 checksums)


Reply to: