View Issue Details

IDProjectCategoryView StatusLast Update
0000667bareos-coreinstaller / packagespublic2019-12-18 15:45
Reporterjungingen Assigned Tostephand  
PrioritylowSeverityminorReproducibilityalways
Status closedResolutionfixed 
OSLinuxOS VersionUbuntu 16.04 LTS 
Product Version15.2.3 
Summary0000667: Ubuntu repository uses weak digest algorithm (SHA1)
DescriptionUbuntu 16.04 LTS gives an error on installing Bareos through repositories - experimental and stable, because of the weak digest algorithm:

http://download.bareos.org/bareos/release/latest/xUbuntu_14.04/
http://download.bareos.org/bareos/experimental/nightly/xUbuntu_16.04/


Steps To ReproduceAfter adding repository and installing the key, apt-get update gives the following error:

W: http://download.bareos.org/bareos/experimental/nightly/xUbuntu_16.04/Release.gpg: Signature by key 2FC04F7E3421E21B70F3231F7A855ABDE0F8EFD4 uses weak digest algorithm (SHA1)
TagsNo tags attached.

Activities

joergs

joergs

2016-10-24 15:57

developer   ~0002407

We use a private instance of http://openbuildservice.org/ (OBS) to build our Linux packages. As this is only a warning, we do not consider it urgent to fix this issue. However, recent releases of OBS (>= 2.7.0) have fixed this issue, by signing also with SHA256, see https://github.com/openSUSE/obs-sign/commit/688d5fa695c4756bf5c9825ed390112d23270bf0

We plan to update our build infrastructure when we find time for this.
monotek

monotek

2016-11-08 19:27

reporter   ~0002440

Would be nice you could reconsider this decission because our repos are managed by puppet which has problems running without erros when "apt-get update" is executed.
tudor

tudor

2016-11-09 06:48

reporter   ~0002441

+1 this affects pretty much every Ubuntu user who's upgraded recently also. I actively discourage my team from ignoring warnings like this as it's a bad habit to get into and paves the way for real attacks on our security.
kim-sondrup

kim-sondrup

2017-03-03 18:34

reporter   ~0002594

+1 also here having starting troubles when using the repo with Puppet
stephand

stephand

2019-09-03 10:54

developer   ~0003567

Does this Puppet related problem still exist with the current bareos 18.2 repos?
arogge

arogge

2019-12-18 15:45

manager   ~0003696

The modern package repositories (everything built after November 2019) contain SHA256 sums.

Issue History

Date Modified Username Field Change
2016-06-14 12:22 jungingen New Issue
2016-10-24 15:57 joergs Note Added: 0002407
2016-10-24 15:59 joergs Priority normal => low
2016-10-24 15:59 joergs Severity major => minor
2016-10-24 15:59 joergs Status new => confirmed
2016-11-08 19:27 monotek Note Added: 0002440
2016-11-09 06:48 tudor Note Added: 0002441
2017-03-03 18:34 kim-sondrup Note Added: 0002594
2017-10-02 15:02 joergs Assigned To => stephand
2017-10-02 15:02 joergs Status confirmed => assigned
2019-09-03 10:54 stephand Status assigned => feedback
2019-09-03 10:54 stephand Note Added: 0003567
2019-12-18 15:45 arogge Status feedback => resolved
2019-12-18 15:45 arogge Resolution open => fixed
2019-12-18 15:45 arogge Note Added: 0003696
2019-12-18 15:45 arogge Status resolved => closed