Rejecting SHA1-signed repositories by default (Ubuntu edition)
Julian Andres Klode
juliank at ubuntu.com
Thu Nov 24 00:19:12 UTC 2016
Hi,
as previously (sort of) announced I want to turn off SHA1 on January 1st
by default in apt (in the 1.2 and 1.3 series xenial/yakkety ship). We
already turned this off for fields inside the (meta) index files,
this step now involves rejecting SHA1-based GPG signatures as well.
Now, we need to do this a bit earlier in our development
releases. My proposal is to basically start this in the
next few days with 1.4~beta1 in unstable and zesty.
The idea is that SHA1 gets rejected by default, but the
error may be lowered to a warning instead. I do not intent
to allow lowering it to no notice at all - that would be
unresponsible (and a new feature).
Once we have done that in zesty, we can do the same thing for
the previously announced Jan 1st date for xenial and yakkety;
possibly delaying the xenial one slightly.
There will be an upstream thread in the Debian lists discussing
the non-Ubuntu related stuff as well.
Opinions welcome.
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline'). Thank you.
More information about the ubuntu-devel
mailing list