[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)

On 15 October 2012 18:46, Michael Gilbert <mgilbert@debian.org> wrote:
> On Sun, Oct 14, 2012 at 9:08 PM, Christoph Anton Mitterer wrote:
>>> If so, please submit
>>> bugs, and we will look at fixing them.  Otherwise, speculation gets us
>>> nowhere and actually wastes time.
>> Well I had once a discussion (around March this year) here about
>> blockin/downgrade attacks... which, AFAICS, both are possible in secure
>> APT right now.... but there was no real outcome.
>> Unforunately it seems that people do not take these higher-level attacks
>> really serious.... even though the danger they impose is quite high.
> Are there bug reports with a clear description of the problem,
> preferably with a proposed fix?  Discussion doesn't really get us
> anywhere.  Useful info and actual efforts at fixing problems do.

So far no bugs or problems were uncovered. So nothing to file or fix ;-)

I can think of adding SHA-3 hashes... but none of the tools support it
yet, so it's future wishlist bug, which I am sure will be acted upon
at an appropriate time and doesn't need a bug filed at present time.



Reply to: