[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian derivatives census: timeline for dropping SHA-1 support from apt



2016-03-15 14:21 GMT+01:00 Patrick Schleizer <adrelanos@riseup.net>:
> Paul Wise:
>> Hi all,
>>
>> The Debian apt maintainers plan to drop SHA-1 support from apt:
>>
>> https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/
>>
>> If you are in the To header on this mail then it means your derivative
>> relies on the security of MD5/SHA1 in some capacity. To find out where,
>> you can look at the check-package-list file for your distribution and
>> look at the Hash: fields at the top of your InRelease or Release.gpg
>> files. Please update your derivatives to add SHA-2 hashes in your apt
>> metadata and in your OpenPGP signatures of that apt metadata.
>>
>> http://deriv.debian.net/Ubuntu/check-package-list
>>
>
> https://whonix.org/download/whonixdevelopermetafiles/internal/dists/jessie/Release
>
> is using MD5, SHA-1 and SHA-256.
>
> Why is it a problem to keep MD5 and SHA-1 as long as SHA-256 is provided?
>
> The repository is created using reprepro. Does reprepro even support
> dropping MD5 and SHA-1?

Same for Tanglu - our repositories are build using dak and I am even
running APT Git master there, which works flawlessly.
Is this maybe an issue in the test script?
(We also provide MD5, SHA-1 and SHA-256 checksums)

Cheers,
    Matthias


Reply to: