--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: apt should use both md5 and sha1
- From: "Thomas Geyer" <geyerth@googlemail.com>
- Date: Mon, 14 May 2007 22:20:18 +0200
- Message-id: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>
Package: apt
Version: 0.6.46.4
Severity: wishlist
Collisions for md5 and sha1 were found allready,
so it's likely, that in the nearer future one of them alone won't be
safe enough.
Since it is harder to find collisions for two checksums than for one,
apt should use both of them at the same time for verifying packages.
--- End Message ---
--- Begin Message ---
- To: 423902-done@bugs.debian.org
- Subject: Re: Bug#423902: apt should use both md5 and sha1
- From: Julian Andres Klode <jak@debian.org>
- Date: Thu, 4 Feb 2016 00:17:18 +0100
- Message-id: <20160204001528.GA9363@debian.org>
- In-reply-to: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>
- References: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>
On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote:
> Package: apt
> Version: 0.6.46.4
> Severity: wishlist
>
>
> Collisions for md5 and sha1 were found allready,
> so it's likely, that in the nearer future one of them alone won't be
> safe enough.
>
> Since it is harder to find collisions for two checksums than for one,
> apt should use both of them at the same time for verifying packages.
We now check all available checksums (AFAIK) and better ones, so I am
closing this.
We have not marked SHA1 as unsecure yet, so this requires your repo
to provide better than SHA1 signatures.
Note that gpg also happily accepts or accepted this until recently.
--
Julian Andres Klode - Debian Developer, Ubuntu Member
See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.
--- End Message ---