On Fri, Jun 08, 2007 at 10:12:46PM +0200, Michael Vogt wrote: > On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote: > > Package: apt > > Version: 0.6.46.4 > > Severity: wishlist > > > > Collisions for md5 and sha1 were found allready, > > so it's likely, that in the nearer future one of them alone won't be > > safe enough. > > > > Since it is harder to find collisions for two checksums than for one, > > apt should use both of them at the same time for verifying packages. > > There is a sha256 branch in bzr already that should solve this problem > in the future. As Colin pointed out, just using both hashes will not > improve security.
This sha256 has been merged since apt 0.7.7, I guess this bug is no longer applicable. apt (0.7.7) unstable; urgency=low [ Michael Vogt ] [..] * merged apt--sha256 branch to fully support the new sha256 checksums in the Packages and Release files (ABI break) -- Simon Paillard -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org