On Fri, Jun 17, 2016 at 03:02:56PM +0100, Greg Stark wrote: > But as far as I can see the file I get at that URL from my browser > does in fact match the md5sum and sha1 in the package description. As > far as I can tell this either means there's a bug in APT or there's a Its a bug in APT in sofar as it isn't saying what is actually the problem: You might have noticed that this repository generated[0] warnings/errors in 'apt update' before talking about the usage of SHA1 as algorithm guarding the Release file signature. The APT team is pushing for the removal of SHA1 from our trustchain[1] as its simply to weak going forward. Browsers do the same for SSL certificates btw. If you wanna know more about this I suggest listening to Julians talk about this (and other apt stuff) at DebConf btw. So, the error shouldn't say hashsum mismatch, but something more like "too weak hash" – but error is error either way, so you may want to talk to the repository maintainers (there are more than just this repository with such an issue) and I should write a patch to produce a better message as we were talking in the APT team about it for a while now… Best regards David Kalnischkies [0] It did in the past, but was recently updated, so I give it the benefit of the doubt as I don't feel like checking… [1] https://wiki.debian.org/Teams/Apt/Sha1Removal
Attachment:
signature.asc
Description: PGP signature