Re: weak repository key

2016-03-29 Thread The Wanderer 
On 2016-03-28 at 15:15, Daniel Schröter wrote:

> I still have the problem. Someone else too?

The list of repositories which are known to have this problem is
available here:

https://wiki.debian.org/Teams/Apt/Sha1Removal

The only way for the problem to be fixed, short of reverting the
software feature change which introduced it (which would reintroduce
security weaknesses), is for the people who run those repositories to
re-sign their files as described on that page.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: weak repository key

2016-03-28 Thread Sven Hartge 
Daniel Schröter  wrote:

> I still have the problem. Someone else too?

Well, Google has not fixed this, so of course you still have the
problem. But there is _nothing_ Debian can do here.

The bug is at
 and has
not seen much action.

But since Ubuntu Xenial 16.04 will release with an apt version also
showing this warning, I guess this will get a lot more traction as soon
as Xenial is released because a lot more "normal" people will then get
the warning and not just people running Debian Testing/Unstable or
Beta-Versions of Ubuntu.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

Re: Re: weak repository key

2016-03-28 Thread Daniel Schröter 
I still have the problem. Someone else too?

Re: weak repository key

2016-03-20 Thread Jochen Spieker 
Floris:
> After updating to apt version 1.2.7 I get a warning on apt-get update:
> W: 
> gpgv:/var/lib/apt/lists/partial/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg:
> The repository is insufficiently signed by key
> 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
> 
> and the repository is ignored
> 
> Is there a way that apt re-trust the old SHA1 key, or do we have to report
> this to Google and all other repos?

Report it:
https://lists.debian.org/debian-devel-announce/2016/03/msg6.html

J.
-- 
My drug of choice is self-pity.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

weak repository key

2016-03-19 Thread Floris 

After updating to apt version 1.2.7 I get a warning on apt-get update:
W:  
gpgv:/var/lib/apt/lists/partial/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg:  
The repository is insufficiently signed by key  
4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)


and the repository is ignored

Is there a way that apt re-trust the old SHA1 key, or do we have to report  
this to Google and all other repos?


Floris

Re: weak repository key

2016-03-18 Thread Sven Hartge 
Jochen Spieker  wrote:
> Floris:

>> After updating to apt version 1.2.7 I get a warning on apt-get update:
>> W: 
>> gpgv:/var/lib/apt/lists/partial/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg:
>> The repository is insufficiently signed by key
>> 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
>> 
>> and the repository is ignored
>> 
>> Is there a way that apt re-trust the old SHA1 key, or do we have to report
>> this to Google and all other repos?

> Report it:
> https://lists.debian.org/debian-devel-announce/2016/03/msg6.html

According to
https://bugs.chromium.org/p/chromium/issues/detail?id=594414 this should
be fixed with the next repository update.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.