[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release file changes

On Sun, Feb 20, 2011 at 07:03:11PM +0100, Joerg Jaspert wrote:
> I additionally opened a bug with apt to add support for SHA512SUM, so
> we can start using them. As soon as that is possible I intend to drop
> SHA256 and end up with SHA1/SHA512 only.

Unfortunately, the algorithm used for the GnuPG signatures (both in
InRelease and Release.gpg) is SHA-1.  Removing SHA-256 in favor of
SHA-512 does not increase security because the signatures are the
weakest point.  See #612657 for more details.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to: