MD5 sum used for package signing is too weak for Ubuntu Xenial

dnbert / prm

PRM Allows you to quickly build package repositories, inspired by Jordan Sissels' FPM

MIT License

250 stars 33 forks source link

MD5 sum used for package signing is too weak for Ubuntu Xenial #59

Closed jgoldschrafe closed 8 years ago

jgoldschrafe commented 8 years ago

Ubuntu 16.04 does not work with the Packages files generated by prm. It appears the hashing function (MD5) is too weak. The following error is provided on apt-get update:

W: Failed to fetch https://my.repo.url/dists/xenial/Release  No Hash entry in Release file /var/lib/apt/lists/partial/my_repo_url_dists_xenial_Release, which is considered strong enough for security purposes

mschwager commented 8 years ago

Can we move forward with this fix @dnbert? @jgoldschrafe has even provided a PR: https://github.com/dnbert/prm/pull/60

This warning has now become an error, so it's more problematic:

E: Failed to fetch http://pkg.repo.com/Ubuntu/dists/xenial/Release  No Hash entry in Release file /var/lib/apt/lists/partial/pkg.repo.com_Ubuntu_dists_xenial_Release which is considered strong enough for security purposes