Control: severity -1 wishlist
Control: retitle -1 warn if Release file includes only broken hashes
On Sun, Nov 29, 2015 at 11:21:44AM -0700, Jeff Bai wrote:
> Please ignore this bug! The issue can be solved with adding SHA1 and SHA256
> hash sum information to the Release file.
There should probably be a message mentioning the issue rather than
a confusing hashsum mismatch through, so I am not going to ignore the
bug as such.
> We only provided MD5Sum before, and that apparently annoys Apt 1.1. Bug
> extra security for the users, eh?
Yeap, apt 1.1 ignores MD5 for security purposes as it can be considered
broken. Note that SHA1 is on its (long) way out as that is close to be
broken, too, so SHA256 (or SHA512) is currently best practice (given
that this is what gpg is using for signatures, so more wouldn't have an
effect).
Best regards
David Kalnischkies