Bug#973004: dpkg-sig: outdated digest format

[Daniel Kahn Gillmor]

On Tue 2020-10-27 07:52:16 +0100, Konstantinos Dalamagkidis wrote:
> currently dpkg-sig uses MD5/SHA1 for the digest. Both are insufficient
> for integrity protection and according to the Debian Wiki SHA-1 is being
> phased out.

This is really not acceptable.  It's 2021, we've known that both MD5 and
SHA-1 are inappropriate to use for applications where poor
collision-resistance is a risk.

Cryptographic verification of software packages *definitely* falls into
this category.  As far as i can tell (the documentation i could find is
rather sparse), there is no other purpose for dpkg-sig.

So I think its dependence on weak digests makes dpkg-sig entirely unfit
for purpose.  It should be removed from debian until/unless it is
improved to use modern cryptographic primitives.

 --dkg


signature.asc
Description: PGP signature

Bug#973004: dpkg-sig: outdated digest format

[Konstantinos Dalamagkidis]

Package: dpkg-sig
Version: 0.13.1+nmu4
Severity: important

Dear Maintainer,

currently dpkg-sig uses MD5/SHA1 for the digest. Both are insufficient
for integrity protection and according to the Debian Wiki SHA-1 is being
phased out.

We would like to continue using dpkg-sig and would contribute to a new
version, but I wanted to first check with you before coming up with a
new digest format and submitting a patch.

* Is submitting a patch the preferred way to contribute?

* Is backwards compatibility also in the case of remote dpkg-sig
  required?

* Any other considerations?

Rgds
Konstantinos