*** This bug is a security vulnerability *** Public security bug reported:
The package archives at ddebs.ubuntu.com are signed with signatures based on SHA-1: wget http://ddebs.ubuntu.com/dists/xenial/Release.gpg gpg --list-packets < Release.gpg | grep digest digest algo 2, begin of digest 5e a9 Algorithm 2 is SHA-1: https://tools.ietf.org/html/rfc4880#section-9.4 The main archives use algo 10, which is SHA-512. Please update the xenial and newer ddebs to use the newer signature algorithm. Thanks ** Affects: ubuntu Importance: Undecided Assignee: Martin Pitt (pitti) Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1558823 Title: ddebs.ubuntu.com gpg signatures use sha-1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1558823/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
