Wednesday 23 November 2016

Rejecting SHA1-signed repositories by default (Ubuntu edition)

Hi,

as previously (sort of) announced I want to turn off SHA1 on January 1st
by default in apt (in the 1.2 and 1.3 series xenial/yakkety ship). We
already turned this off for fields inside the (meta) index files,
this step now involves rejecting SHA1-based GPG signatures as well.

Now, we need to do this a bit earlier in our development
releases. My proposal is to basically start this in the
next few days with 1.4~beta1 in unstable and zesty.

The idea is that SHA1 gets rejected by default, but the
error may be lowered to a warning instead. I do not intent
to allow lowering it to no notice at all - that would be
unresponsible (and a new feature).

Once we have done that in zesty, we can do the same thing for
the previously announced Jan 1st date for xenial and yakkety;
possibly delaying the xenial one slightly.

There will be an upstream thread in the Debian lists discussing
the non-Ubuntu related stuff as well.

Opinions welcome.
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline'). Thank you.

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel