Package: apt Version: 1.2.10 Severity: important Hello,
I tried to install a compiler from emdebian because there is no corresponding version in debian main archives and - apt warns that the source uses SHA1 hash - the package is shown as untrusted Since no exploit is known for sha1 apt (and aptitude) should show warning about weak hash but not show the packages as untrusted. I canot tell totally unsigned packages from packages which use hash that Debian maintainers somehow dislike. This is unacceptable with many archives around using these hashes. Thanks Michal -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (910, 'testing'), (900, 'stable'), (610, 'oldstable'), (410, 'unstable'), (400, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii adduser 3.114 ii debian-archive-keyring 2014.3 ii gnupg 1.4.20-5 ii gnupg2 2.1.11-6 ii gpgv 1.4.20-5 ii init-system-helpers 1.29 ii libapt-pkg5.0 1.2.10 ii libc6 2.22-5 ii libgcc1 1:5.3.1-13 ii libstdc++6 5.3.1-13 apt recommends no packages. Versions of packages apt suggests: ii apt-doc 1.2.10 ii aptitude 0.7.5-3 ii dpkg-dev 1.18.4 ii python-apt 1.1.0~beta2 -- no debconf information
