On Sat, Mar 19, 2016 at 09:00:31PM +0300, Vladimir Stavrinov wrote: > On Wed, Mar 16, 2016 at 10:41:13PM +0100, Julian Andres Klode wrote: > > > I still went ahead with this and I think it's the right decision, I have > > not heard of any other repository provider affected yet --- the others are > > I don't think this is full list.
Julian started to collect them, feel free to add any unknown ones: https://wiki.debian.org/Teams/Apt/Sha1Removal As you can see, the amount of "broken" is low. "half-broken" is longer, but apt generates a warning for them only at the moment (as that was to be expected). Note that this is a strong indication that this was the right step to take now as long as SHA1 isn't entirely broken, so at the time we have to get right of it, we can without drama. Imagine the outcry if the warnings would be hard errors now because someone published a viable attack on SHA1 yesterday (and we had to do this in stable). Browsers are pushing for SHA1 removal for a few years now – it would be strange if your browsers are securing you by not using SHA1 (or even worse), but the update channel you get your browser from depends on it… This might also be the right time for users to reconsider if they really need all these third-party repositories they have configured over the years. Debian has an evergrowing archive of software after all – and if it isn't in the archive yet, consider adding it! Best regards David Kalnischkies
signature.asc
Description: PGP signature
