Wednesday, 23 November 2016

Rejecting SHA1-signed repositories by default (Ubuntu edition)


as previously (sort of) announced I want to turn off SHA1 on January 1st
by default in apt (in the 1.2 and 1.3 series xenial/yakkety ship). We
already turned this off for fields inside the (meta) index files,
this step now involves rejecting SHA1-based GPG signatures as well.

Now, we need to do this a bit earlier in our development
releases. My proposal is to basically start this in the
next few days with 1.4~beta1 in unstable and zesty.

The idea is that SHA1 gets rejected by default, but the
error may be lowered to a warning instead. I do not intent
to allow lowering it to no notice at all - that would be
unresponsible (and a new feature).

Once we have done that in zesty, we can do the same thing for
the previously announced Jan 1st date for xenial and yakkety;
possibly delaying the xenial one slightly.

There will be an upstream thread in the Debian lists discussing
the non-Ubuntu related stuff as well.

Opinions welcome.
Debian Developer - | - free software dev

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline'). Thank you.

ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: