Control: severity -1 wishlist Control: retitle -1 warn if Release file includes only broken hashes
On Sun, Nov 29, 2015 at 11:21:44AM -0700, Jeff Bai wrote: > Please ignore this bug! The issue can be solved with adding SHA1 and SHA256 > hash sum information to the Release file. There should probably be a message mentioning the issue rather than a confusing hashsum mismatch through, so I am not going to ignore the bug as such. > We only provided MD5Sum before, and that apparently annoys Apt 1.1. Bug > extra security for the users, eh? Yeap, apt 1.1 ignores MD5 for security purposes as it can be considered broken. Note that SHA1 is on its (long) way out as that is close to be broken, too, so SHA256 (or SHA512) is currently best practice (given that this is what gpg is using for signatures, so more wouldn't have an effect). Best regards David Kalnischkies
signature.asc
Description: PGP signature
