Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
On 15 October 2012 18:46, Michael Gilbert <firstname.lastname@example.org> wrote:
> On Sun, Oct 14, 2012 at 9:08 PM, Christoph Anton Mitterer wrote:
>>> If so, please submit
>>> bugs, and we will look at fixing them. Otherwise, speculation gets us
>>> nowhere and actually wastes time.
>> Well I had once a discussion (around March this year) here about
>> blockin/downgrade attacks... which, AFAICS, both are possible in secure
>> APT right now.... but there was no real outcome.
>> Unforunately it seems that people do not take these higher-level attacks
>> really serious.... even though the danger they impose is quite high.
> Are there bug reports with a clear description of the problem,
> preferably with a proposed fix? Discussion doesn't really get us
> anywhere. Useful info and actual efforts at fixing problems do.
So far no bugs or problems were uncovered. So nothing to file or fix ;-)
I can think of adding SHA-3 hashes... but none of the tools support it
yet, so it's future wishlist bug, which I am sure will be acted upon
at an appropriate time and doesn't need a bug filed at present time.