Bug#423902: marked as done (apt should use both md5 and sha1)

To: Julian Andres Klode <jak@debian.org>
Subject: Bug#423902: marked as done (apt should use both md5 and sha1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 03 Feb 2016 23:21:04 +0000
Message-id: <[🔎] handler.423902.D423902.145454144817295.ackdone@bugs.debian.org>
References: <20160204001528.GA9363@debian.org> <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>

Your message dated Thu, 4 Feb 2016 00:17:18 +0100
with message-id <20160204001528.GA9363@debian.org>
and subject line Re: Bug#423902: apt should use both md5 and sha1
has caused the Debian Bug report #423902,
regarding apt should use both md5 and sha1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
423902: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=423902
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org

Subject: apt should use both md5 and sha1

From: "Thomas Geyer" <geyerth@googlemail.com>

Date: Mon, 14 May 2007 22:20:18 +0200

Message-id: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>
Package: apt
Version: 0.6.46.4
Severity: wishlist


Collisions for md5 and sha1 were found allready,
so it's likely, that in the nearer future one of them alone won't be
safe enough.

Since it is harder to find collisions for two checksums than for one,
apt should use both of them at the same time for verifying packages.
--- End Message ---

--- Begin Message ---

To: 423902-done@bugs.debian.org
Subject: Re: Bug#423902: apt should use both md5 and sha1
From: Julian Andres Klode <jak@debian.org>
Date: Thu, 4 Feb 2016 00:17:18 +0100
Message-id: <20160204001528.GA9363@debian.org>
In-reply-to: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>
References: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>

On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote:
> Package: apt
> Version: 0.6.46.4
> Severity: wishlist
> 
> 
> Collisions for md5 and sha1 were found allready,
> so it's likely, that in the nearer future one of them alone won't be
> safe enough.
> 
> Since it is harder to find collisions for two checksums than for one,
> apt should use both of them at the same time for verifying packages.

We now check all available checksums (AFAIK) and better ones, so I am
closing this.

We have not marked SHA1 as unsecure yet, so this requires your repo
to provide better than SHA1 signatures.

Note that gpg also happily accepts or accepted this until recently.

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.

--- End Message ---

Reply to:

Prev by Date: Bug#665921: marked as done (apt: use all hashsums availble in secure APT)
Next by Date: Bug#706353: marked as done (/usr/bin/apt-cache: more descriptive installed size)
Previous by thread: Bug#665921: marked as done (apt: use all hashsums availble in secure APT)
Next by thread: Bug#706353: marked as done (/usr/bin/apt-cache: more descriptive installed size)
Index(es):
- Date
- Thread