[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hash algorithms used by APT to verify authenticity of installed files.

* [Sat, Apr 23, 2011 at 12:04:33PM +0200] Quequanys:

    Does it fallback to weaker algorithm, if the hash
    made with stronger one is not avaible? Is there a
    way to force APT to use only selected algorithms
    so APT only accepts files verified by choosen
    algorithms, and  rejects files when required
    hashes are unavaible?


    Could you point me to specific portions of
    documentation that covers this issue?

I use to consider /usr/share/doc/apt/examples/configure-index.gz as
the best source of informations regarding apt parameters.

Gian Piero.


Hi again

(this is my second email address)

Thanks for pointing me to  /usr/share/doc/apt/examples/configure-index.gz.
However descriptions in this file are poor in my opinion, in the case
of ForceHash option it only says:

"ForceHash "sha256"; // hashmethod used for expected hash: sha256,
sha1 or md5sum"

It doesnt say what  will happen if the expected hash is unavaible-
maybe it will just use weaker hash as fallback? I think  that issues
regarding security should be descriped clearly and exhaustively. Many
people like me are not coders and dont understand source code :(

Does anyone know if this issue is descriped somewhere in official
documentation? Either with ForceHash or without that option (default

Reply to: