On 27/06/13 21:44, Florian Weimer wrote: > * Daniel Pocock: > >> However, are such issues at the discretion of package maintainers and >> upstream, or is it useful to have a uniform Debian approach to >> cryptographic strength? > > Keep in mind that RFC 4880 (OpenPGP) hard-codes SHA-1 in several > places, notably for key fingerprints. If there's a uniform strength > requirement, we need some weasel words that GnuPG remains compliant. > > It's also unclear if SHA-256 or SHA-512 is stronger, and if either > really is that much better than SHA-1. >
Just to clarify, although my query was related to the use of this hash in GnuPG, the reason for the email on debian-devel is for the system-wide policy on hashes: which could mean any package (e.g. git uses SHA-1 too, some of the X.509 root certs use an SHA-1 hash) The first question then - do we even need to care, as a project, about being pro-active? Or just leave it at the discretion of derivatives and end-users to make their own policies? That's quite OK as long as this approach is documented. The security page[1] says "Debian takes security very seriously" and some users may ask how we apply that philosophy to SHA-1 given that it is on various alerts[2]. It may be that we say "Some packages include SHA-1 technology and if the attack potential crosses some threshold X the security team will not support them." Then it is up to maintainers and upstreams to think about and start making plans for the future of their packages. 1. http://www.debian.org/security/ 2. http://www.dsd.gov.au/publications/csocprotect/sha-1_deprecated.htm -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51cc9db9.8060...@pocock.com.au