[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Problem with Google APT repo

On Fri, Jun 17, 2016 at 03:02:56PM +0100, Greg Stark wrote:
> But as far as I can see the file I get at that URL from my browser
> does in fact match the md5sum and sha1 in the package description. As
> far as I can tell this either means there's a bug in APT or there's a

Its a bug in APT in sofar as it isn't saying what is actually the
problem: You might have noticed that this repository generated[0]
warnings/errors in 'apt update' before talking about the usage of SHA1
as algorithm guarding the Release file signature.

The APT team is pushing for the removal of SHA1 from our trustchain[1]
as its simply to weak going forward. Browsers do the same for SSL
certificates btw. If you wanna know more about this I suggest listening
to Julians talk about this (and other apt stuff) at DebConf btw.

So, the error shouldn't say hashsum mismatch, but something more like
"too weak hash" – but error is error either way, so you may want to talk
to the repository maintainers (there are more than just this repository
with such an issue) and I should write a patch to produce a better
message as we were talking in the APT team about it for a while now…

Best regards

David Kalnischkies

[0] It did in the past, but was recently updated, so I give it the
benefit of the doubt as I don't feel like checking…

[1] https://wiki.debian.org/Teams/Apt/Sha1Removal

Attachment: signature.asc
Description: PGP signature

Reply to: