Package: ftp.debian.org Severity: serious Hi!
While going over the SHA-1 issues in the keyrings [K], I then realized that for some of those cases that will not validate signatures with dupload, dpkg-source, or dscverify for example (and checking some specific cases from keyring.debian.org, in case there was a newer fixed certificate in there), that dak does not seem to be rejecting signatures from those certificates. Even though SHA-1 was intended to be disallowed for uploads since this was announced some time ago [A]. [K] https://lists.debian.org/debian-devel/2025/03/msg00477.html [A] https://lists.debian.org/debian-devel-announce/2017/02/msg00007.html I think the main reason is that the gpg verification invocations are not done with something like «--weak-digest SHA1 --weak-digest RIPEMD160». I have set the severity to serious as this seems like a security issue, but of course feel free to lower it if you disagree. Thanks, Guillem
