Rejecting SHA1-signed repositories by default

To: deity@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Rejecting SHA1-signed repositories by default
From: Julian Andres Klode <jak@debian.org>
Date: Thu, 24 Nov 2016 01:21:28 +0100
Message-id: <[🔎] 20161124002128.4g7fvogmjdoxj5dg@jak-x230>
Mail-followup-to: deity@lists.debian.org, debian-devel@lists.debian.org

Hi,

as previously (sort of) announced I want to turn off SHA1 on January 1st
by default in apt (in the 1.2 and 1.3 series xenial/yakkety ship). We
already turned this off for fields inside the (meta) index files,
this step now involves rejecting SHA1-based GPG signatures as well.

Now, we need to do this a bit earlier in our development
releases. My proposal is to basically start this in the
next few days with 1.4~beta1 in unstable and zesty. 

The idea is that SHA1 gets rejected by default, but the
error may be lowered to a warning instead. I do not intent
to allow lowering it to no notice at all - that would be
unresponsible (and a new feature).

Once this has been done, we can hopefully easily change
the stable series in the Ubuntu releases for the announced
Jan 01 date, although this is not really my decision.

Opinions welcome.
-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.

Reply to:

Prev by Date: Bug#549089: apt: Please add support for temporary packages
Next by Date: Bug#845507: having gnupg as Recommends instead of Depends breaks apt-key and tools that use apt-key
Previous by thread: Bug#549089: apt: Please add support for temporary packages
Next by thread: Bug#845507: having gnupg as Recommends instead of Depends breaks apt-key and tools that use apt-key
Index(es):
- Date
- Thread