Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #6455

Re: Why Does Debian Use PGP to Sign Packages

From Simon Josefsson <simon@josefsson.org>
Newsgroups linux.debian.security
Subject Re: Why Does Debian Use PGP to Sign Packages
Date 2025-08-16 11:40 +0200
Message-ID <Lklyh-814f-3@gated-at.bofh.it> (permalink)
References <Lke3L-7W49-5@gated-at.bofh.it> <LkleV-80XJ-9@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Jeffrey Walton <noloader@gmail.com> writes:

> https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html

That's all MD5.  Looks like that document hasn't been updated for the
last decade or so.

"The Release files also include SHA-1 checksums, which will be useful
once MD5 sums become fully broken, however apt doesn't use them yet."

Today both MD5 and SHA1 are fully broken...

/Simon

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Why Does Debian Use PGP to Sign Packages fosres@posteo.de - 2025-08-16 03:40 +0200
  Re: Why Does Debian Use PGP to Sign Packages Jeffrey Walton <noloader@gmail.com> - 2025-08-16 11:20 +0200
    Re: Why Does Debian Use PGP to Sign Packages Simon Josefsson <simon@josefsson.org> - 2025-08-16 11:40 +0200
  Re: Why Does Debian Use PGP to Sign Packages Simon Josefsson <simon@josefsson.org> - 2025-08-16 11:30 +0200
  Re: Why Does Debian Use PGP to Sign Packages kpcyrd <kpcyrd@archlinux.org> - 2025-08-16 16:30 +0200

csiph-web