Hi,
as previously (sort of) announced I want to turn off SHA1 on January 1st
by default in apt (in the 1.2 and 1.3 series xenial/yakkety ship). We
already turned this off for fields inside the (meta) index files,
this step now involves rejecting SHA1-based GPG signatures as well.
Now, we need to do this a bit earlier in our development
releases. My proposal is to basically start this in the
next few days with 1.4~beta1 in unstable and zesty.
The idea is that SHA1 gets rejected by default, but the
error may be lowered to a warning instead. I do not intent
to allow lowering it to no notice at all - that would be
unresponsible (and a new feature).
Once this has been done, we can hopefully easily change
the stable series in the Ubuntu releases for the announced
Jan 01 date, although this is not really my decision.
Opinions welcome.
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline'). Thank you.
