Bug#820910: apt no longer verifies repositories using sha1 hash

[Michal Suchanek <michal.suchanek@ruk.cuni.cz>]

Package: apt
Version: 1.2.10
Severity: important

Hello,

I tried to install a compiler from emdebian because there is no
corresponding version in debian main archives and

 - apt warns that the source uses SHA1 hash
 - the package is shown as untrusted

Since no exploit is known for sha1 apt (and aptitude) should show
warning about weak hash but not show the packages as untrusted.

I canot tell totally unsigned packages from packages which use hash that
Debian maintainers somehow dislike.

This is unacceptable with many archives around using these hashes.

Thanks

Michal

-- Package-specific info:


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (910, 'testing'), (900, 'stable'), (610, 'oldstable'), (410, 'unstable'), (400, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.114
ii  debian-archive-keyring  2014.3
ii  gnupg                   1.4.20-5
ii  gnupg2                  2.1.11-6
ii  gpgv                    1.4.20-5
ii  init-system-helpers     1.29
ii  libapt-pkg5.0           1.2.10
ii  libc6                   2.22-5
ii  libgcc1                 1:5.3.1-13
ii  libstdc++6              5.3.1-13

apt recommends no packages.

Versions of packages apt suggests:
ii  apt-doc     1.2.10
ii  aptitude    0.7.5-3
ii  dpkg-dev    1.18.4
ii  python-apt  1.1.0~beta2

-- no debconf information