Bug#820910: apt no longer verifies repositories using sha1 hash
Package: apt
Version: 1.2.10
Severity: important
Hello,
I tried to install a compiler from emdebian because there is no
corresponding version in debian main archives and
- apt warns that the source uses SHA1 hash
- the package is shown as untrusted
Since no exploit is known for sha1 apt (and aptitude) should show
warning about weak hash but not show the packages as untrusted.
I canot tell totally unsigned packages from packages which use hash that
Debian maintainers somehow dislike.
This is unacceptable with many archives around using these hashes.
Thanks
Michal
-- Package-specific info:
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (910, 'testing'), (900, 'stable'), (610, 'oldstable'), (410, 'unstable'), (400, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages apt depends on:
ii adduser 3.114
ii debian-archive-keyring 2014.3
ii gnupg 1.4.20-5
ii gnupg2 2.1.11-6
ii gpgv 1.4.20-5
ii init-system-helpers 1.29
ii libapt-pkg5.0 1.2.10
ii libc6 2.22-5
ii libgcc1 1:5.3.1-13
ii libstdc++6 5.3.1-13
apt recommends no packages.
Versions of packages apt suggests:
ii apt-doc 1.2.10
ii aptitude 0.7.5-3
ii dpkg-dev 1.18.4
ii python-apt 1.1.0~beta2
-- no debconf information
Reply to: