Re: Release file changes
>> I additionally opened a bug with apt to add support for SHA512SUM, so
>> we can start using them. As soon as that is possible I intend to drop
>> SHA256 and end up with SHA1/SHA512 only.
> Unfortunately, the algorithm used for the GnuPG signatures (both in
> InRelease and Release.gpg) is SHA-1. Removing SHA-256 in favor of
> SHA-512 does not increase security because the signatures are the
> weakest point. See #612657 for more details.
Well, a slightly different point then reducing yourself to just 2
hashes, but yes, we should look to change that part too.
--
bye, Joerg
Son, when you participate in sporting events, it's not whether you win
or lose: it's how drunk you get.
Reply to: