Re: dpkg-sig support wanted?
* Anthony Towns:
> (I'm amazed the security "crisis" we're having is about deb sigs
> *again*, when we're still relying on md5sum which has a public exploit
> available now...)
These exploits are irrelevant as far as the Debian archive is
concerned. (And that's not because hardly any sarge user verifies the
MD5 hashes, by the way. 8-)
Moving away from MD5 is certainly not a bad idea, but it's not clear
whether the alternatives are any better. Sure, everyone recommends
SHA-256 at this stage, but nobody can give a rationale.