external apt repos with no SHA-2 hashses
pages got renamed
|Deletions are marked like this.||Additions are marked like this.|
|Line 55:||Line 55:|
|Add SHA-2 support to all the [[RepositorySupport|repository tools]] that support the [[RepositoryFormat|APT repository format]].||Add SHA-2 support to all the [[DebianRepository/FeatureSupport|repository tools]] that support the [[DebianRepository/Format|APT repository format]].|
|Line 65:||Line 65:|
|Have the [[RepositorySupport|repository tools]] reject .changes and .dsc signatures that use SHA-1.||Have the [[DebianRepository/FeatureSupport|repository tools]] reject .changes and .dsc signatures that use SHA-1.|
SHA-1 is getting weaker (mainly collision resistance) so we need to start exploring where we use SHA-1 in Debian and how we need to phase it out.
git uses SHA-1 for commit identifiers.
APT repositories use SHA-1 and MD5 as hashes in addition to SHA-2.
OpenPGP uses SHA-1 for fingerprints but they are not vulnerable to attacks on collision resistance so this isn't a concern.
Some of our developer or role keys probably use SHA-1 self-sigs or sigs.
The SPI CA, the Debian CA and the few service certs signed by it are SHA-1.
There is a request to use stronger ciphers, including dropping some SHA-1 based ones.
The snapshot.d.o data storage is based on SHA-1. Same for the derivatives census, which is based on snapshot.
The APT meta-data produced by dak includes SHA-2 by default.
APT does not trust SHA1 checksums starting with 1.2.7, and MD5 since 1.1. This does not yet affect the GPG signature of the Release file, though; which is validated by GPG.
GnuPG version ??? uses SHA-2 for signatures by default.
Engage git upstream discussion to come up with a new repository format.
Work on OpenPGP 5 which will not use SHA-1 fingerprints.
GnuPG could warn when using SHA-1 for signatures.
GnuPG could filter out SHA-1 signatures for verification purposes.
Have the repository tools reject .changes and .dsc signatures that use SHA-1.
dgit could reject OpenPGP-signed pushes that use SHA-1 signatures.