Package: aptitude Version: 0.6.11-1+b1 Severity: wishlist Dear Maintainer,
Aptitude developers have taken the liberty of deciding for everyone subjectively what quality of cryptographic signature is adequate for everyone in a single sweeping decision, without knowing the individual threat models and assets that the decision is trying to protect. This decision is in the wrong hands. Specifically, consider the SHA1 removal, documented here: https://wiki.debian.org/Teams/Apt/Sha1Removal If the apt team must decide on everyones security standards, blocking SHA1 was a good move. But that's not the case. The apt suite of tools could have some sensible defaults as far as which signing algorithms are accepted or not, but ultimately the admin should be in control of her own system. Maybe an admin finds SHA256 insufficient, and requires an even higher standard. Who is the apt team to tell her which algorithm she may and may not trust? There is a hack to say trust all, which can even be used on a per repository basis or all repositories, but this is the wrong mechanism as it disables validity checking entirely. The sys admin should control which algorithms are fit for purpose, and the apt tool should check validity on admin-permitted algorithms. -- Package-specific info: Terminal: screen $DISPLAY is set. which aptitude: /usr/bin/aptitude aptitude version information: aptitude 0.6.11 compiled at Nov 8 2014 13:34:39 Compiler: g++ 4.9.1 Compiled against: apt version 4.12.0 NCurses version 5.9 libsigc++ version: 2.4.0 Gtk+ support disabled. Qt support disabled. Current library versions: NCurses version: ncurses 5.9.20140913 cwidget version: 0.5.17 Apt version: 4.12.0 aptitude linkage: linux-vdso.so.1 (0x00007ffde62f0000) /usr/lib/torsocks/libtorsocks.so (0x00007f561b870000) libapt-pkg.so.4.12 => /usr/lib/x86_64-linux-gnu/libapt-pkg.so.4.12 (0x00007f561b500000) libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 (0x00007f561b2ca000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f561b0a0000) libsigc-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libsigc-2.0.so.0 (0x00007f561ae9a000) libcwidget.so.3 => /usr/lib/x86_64-linux-gnu/libcwidget.so.3 (0x00007f561ab84000) libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f561a8bb000) libboost_iostreams.so.1.55.0 => /usr/lib/x86_64-linux-gnu/libboost_iostreams.so.1.55.0 (0x00007f561a6a3000) libxapian.so.22 => /usr/lib/libxapian.so.22 (0x00007f561a292000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f561a075000) libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f5619d6a000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f5619a69000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f5619853000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f56194a8000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f56192a4000) libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f56190a1000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f5618e86000) libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007f5618c76000) liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f5618a53000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f561884b000) libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f5618646000) /lib64/ld-linux-x86-64.so.2 (0x00007f561c0d5000) -- System Information: Debian Release: 8.6 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages aptitude depends on: ii aptitude-common 0.6.11-1 ii libapt-pkg4.12 1.0.9.8.3 ii libboost-iostreams1.55.0 1.55.0+dfsg-3 ii libc6 2.19-18+deb8u6 ii libcwidget3 0.5.17-2 ii libgcc1 1:4.9.2-10 ii libncursesw5 5.9+20140913-1+b1 ii libsigc++-2.0-0c2a 2.4.0-1 ii libsqlite3-0 3.8.7.1-1+deb8u2 ii libstdc++6 4.9.2-10 ii libtinfo5 5.9+20140913-1+b1 ii libxapian22 1.2.19-1+deb8u1 Versions of packages aptitude recommends: ii aptitude-doc-en [aptitude-doc] 0.6.11-1 ii libparse-debianchangelog-perl 1.2.0-1.1 ii sensible-utils 0.0.9 Versions of packages aptitude suggests: ii apt-xapian-index 0.47 pn debtags <none> ii tasksel 3.31+deb8u1 -- no debconf information