>> I additionally opened a bug with apt to add support for SHA512SUM, so >> we can start using them. As soon as that is possible I intend to drop >> SHA256 and end up with SHA1/SHA512 only. > Unfortunately, the algorithm used for the GnuPG signatures (both in > InRelease and Release.gpg) is SHA-1. Removing SHA-256 in favor of > SHA-512 does not increase security because the signatures are the > weakest point. See #612657 for more details.
Well, a slightly different point then reducing yourself to just 2 hashes, but yes, we should look to change that part too. -- bye, Joerg Son, when you participate in sporting events, it's not whether you win or lose: it's how drunk you get. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87pqqltaid....@gkar.ganneff.de
