[Bug 1098738] Re: apt-get source only checks md5 hashes in Sources files
Christoph Anton Mitterer
calestyo at scientia.net
Wed Jun 18 02:24:35 UTC 2014
Is this still open?
Sounds rather critical (MD5 is really severly broken)...
IMHO APT's behaviour with respect to verifying signatures should generall be the follwoing:
Secure APT should always verify _all_ of the present sums and fail if
_any_ of them doesn't match.... and it should _always_ expect at least
one hash some type to be present (i.e. a secure one like SHA3, or
SHA512)... and fail it that one is not present.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1098738
Title:
apt-get source only checks md5 hashes in Sources files
Status in “apt” package in Ubuntu:
In Progress
Bug description:
'apt-get source' only validates the md5 hash in the Sources file.
Ideally, it should check the sha hashes also.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098738/+subscriptions
More information about the foundations-bugs
mailing list