Re: Why Does Debian Use PGP to Sign Packages

To: Jeffrey Walton <noloader@gmail.com>
Cc: fosres@posteo.de, Debian security <debian-security@lists.debian.org>
Subject: Re: Why Does Debian Use PGP to Sign Packages
From: Simon Josefsson <simon@josefsson.org>
Date: Sat, 16 Aug 2025 11:33:08 +0200
Message-id: <[🔎] 87wm73392j.fsf@josefsson.org>
In-reply-to: <[🔎] CAH8yC8m5B8xqrPPtpK3T_zA6whm7-jWxgmma0uafrm33W7UHmw@mail.gmail.com> (Jeffrey Walton's message of "Sat, 16 Aug 2025 05:13:25 -0400")
References: <[🔎] a66cd45403052dc7a4e55f60885e4737@posteo.de> <[🔎] CAH8yC8m5B8xqrPPtpK3T_zA6whm7-jWxgmma0uafrm33W7UHmw@mail.gmail.com>

Jeffrey Walton <noloader@gmail.com> writes:

> https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html

That's all MD5.  Looks like that document hasn't been updated for the
last decade or so.

"The Release files also include SHA-1 checksums, which will be useful
once MD5 sums become fully broken, however apt doesn't use them yet."

Today both MD5 and SHA1 are fully broken...

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Why Does Debian Use PGP to Sign Packages
  - From: fosres@posteo.de
- Re: Why Does Debian Use PGP to Sign Packages
  - From: Jeffrey Walton <noloader@gmail.com>

Prev by Date: Re: Why Does Debian Use PGP to Sign Packages
Next by Date: Re: Why Does Debian Use PGP to Sign Packages
Previous by thread: Re: Why Does Debian Use PGP to Sign Packages
Next by thread: Re: Why Does Debian Use PGP to Sign Packages
Index(es):
- Date
- Thread