Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
On 15 October 2012 18:46, Michael Gilbert <mgilbert@debian.org> wrote:
> On Sun, Oct 14, 2012 at 9:08 PM, Christoph Anton Mitterer wrote:
>>> If so, please submit
>>> bugs, and we will look at fixing them. Otherwise, speculation gets us
>>> nowhere and actually wastes time.
>> Well I had once a discussion (around March this year) here about
>> blockin/downgrade attacks... which, AFAICS, both are possible in secure
>> APT right now.... but there was no real outcome.
>> Unforunately it seems that people do not take these higher-level attacks
>> really serious.... even though the danger they impose is quite high.
>
> Are there bug reports with a clear description of the problem,
> preferably with a proposed fix? Discussion doesn't really get us
> anywhere. Useful info and actual efforts at fixing problems do.
>
So far no bugs or problems were uncovered. So nothing to file or fix ;-)
I can think of adding SHA-3 hashes... but none of the tools support it
yet, so it's future wishlist bug, which I am sure will be acted upon
at an appropriate time and doesn't need a bug filed at present time.
Regards,
Dmitrijs.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CANBHLUgZqkK5Li8K4Xr67g25DLNTEDivRXLWxaTgUzOsfAPDE w@mail.gmail.com">http://lists.debian.org/CANBHLUgZqkK5Li8K4Xr67g25DLNTEDivRXLWxaTgUzOsfAPDE w@mail.gmail.com
|
