0000667: Ubuntu repository uses weak digest algorithm (SHA1)

ID	Project	Category	View Status	Date Submitted	Last Update

0000667	bareos-core	installer / packages	public	2016-06-14 12:22	2019-12-18 15:45

Reporter	jungingen	Assigned To	stephand
Priority	low	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
OS	Linux	OS Version	Ubuntu 16.04 LTS
Product Version	15.2.3

Summary	0000667: Ubuntu repository uses weak digest algorithm (SHA1)
Description	Ubuntu 16.04 LTS gives an error on installing Bareos through repositories - experimental and stable, because of the weak digest algorithm: http://download.bareos.org/bareos/release/latest/xUbuntu_14.04/ http://download.bareos.org/bareos/experimental/nightly/xUbuntu_16.04/
Steps To Reproduce	After adding repository and installing the key, apt-get update gives the following error: W: http://download.bareos.org/bareos/experimental/nightly/xUbuntu_16.04/Release.gpg: Signature by key 2FC04F7E3421E21B70F3231F7A855ABDE0F8EFD4 uses weak digest algorithm (SHA1)
Tags	No tags attached.

joergs 2016-10-24 15:57 developer ~0002407	We use a private instance of http://openbuildservice.org/ (OBS) to build our Linux packages. As this is only a warning, we do not consider it urgent to fix this issue. However, recent releases of OBS (>= 2.7.0) have fixed this issue, by signing also with SHA256, see https://github.com/openSUSE/obs-sign/commit/688d5fa695c4756bf5c9825ed390112d23270bf0 We plan to update our build infrastructure when we find time for this.

monotek 2016-11-08 19:27 reporter ~0002440	Would be nice you could reconsider this decission because our repos are managed by puppet which has problems running without erros when "apt-get update" is executed.

tudor 2016-11-09 06:48 reporter ~0002441	+1 this affects pretty much every Ubuntu user who's upgraded recently also. I actively discourage my team from ignoring warnings like this as it's a bad habit to get into and paves the way for real attacks on our security.

kim-sondrup 2017-03-03 18:34 reporter ~0002594	+1 also here having starting troubles when using the repo with Puppet

stephand 2019-09-03 10:54 developer ~0003567	Does this Puppet related problem still exist with the current bareos 18.2 repos?

arogge 2019-12-18 15:45 manager ~0003696	The modern package repositories (everything built after November 2019) contain SHA256 sums.

Date Modified	Username	Field	Change
2016-06-14 12:22	jungingen	New Issue
2016-10-24 15:57	joergs	Note Added: 0002407
2016-10-24 15:59	joergs	Priority	normal => low
2016-10-24 15:59	joergs	Severity	major => minor
2016-10-24 15:59	joergs	Status	new => confirmed
2016-11-08 19:27	monotek	Note Added: 0002440
2016-11-09 06:48	tudor	Note Added: 0002441
2017-03-03 18:34	kim-sondrup	Note Added: 0002594
2017-10-02 15:02	joergs	Assigned To	=> stephand
2017-10-02 15:02	joergs	Status	confirmed => assigned
2019-09-03 10:54	stephand	Status	assigned => feedback
2019-09-03 10:54	stephand	Note Added: 0003567
2019-12-18 15:45	arogge	Status	feedback => resolved
2019-12-18 15:45	arogge	Resolution	open => fixed
2019-12-18 15:45	arogge	Note Added: 0003696
2019-12-18 15:45	arogge	Status	resolved => closed