Package: ftp.debian.org Severity: wishlist I just noticed today that the GPG signatures (in Release.gpg and InRelease) use SHA1. SHA1 is the default algorithm in GnuPG (because it is the OpenPGP must-implement algorithm), but using it instead of something stronger weakens the entire system. It seems silly to use SHA256 in the Release file if the signature uses a weaker algorithm. Therefore, I suggest using SHA-256 or SHA-512 for the GnuPG signatures.
The former is consistent with the Release file and is faster on 32-bit architectures while the latter is faster on 64-bit architectures; nevertheless, the difference in speed is small for the amount of data being processed. Full read/write support for SHA-256 in GnuPG has been present since version 1.3.3 in 2003, and since we don't support sarge anymore, I don't think backward compatibility is an issue. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
