On Wed, May 04, 2016 at 08:13:56PM +0200, Guillem Jover wrote: > First off, with the reproducible and rebootstrap efforst rebuilding > stuff with latest dpkg, it's really fast to catch regressions, that's > very helpful, thanks! And second, also thanks for tracking this down. :)
Thanks for the kind words :) > No, serious is right, this was over eagerness from my part. The > signature checks are non-fatal, and not being able to verify the sigs > is way worse security wise than having weak checksums (and that's > common for revoked/expired/retired keys), so this needs to be a warning > ineed. I'm fixing this for 1.18.7. Cool, thanks again. Do you think a lintian check for weak checksums would be worthwhile? I can't see an existing one but I suppose that shouldn't be too hard to implement. It could also serve as a basis for a mass bug filing if that turns out to be desirable. -- Niko