Re: Hash algorithms used by APT to verify authenticity of installed files.
* [Sat, Apr 23, 2011 at 12:04:33PM +0200] Quequanys:
Does it fallback to weaker algorithm, if the hash
made with stronger one is not avaible? Is there a
way to force APT to use only selected algorithms
so APT only accepts files verified by choosen
algorithms, and rejects files when required
hashes are unavaible?
Acquire::ForceHash
Could you point me to specific portions of
documentation that covers this issue?
I use to consider /usr/share/doc/apt/examples/configure-index.gz as
the best source of informations regarding apt parameters.
Ciao,
Gian Piero.
-------------------------------------------------------------
Hi again
(this is my second email address)
Thanks for pointing me to /usr/share/doc/apt/examples/configure-index.gz.
However descriptions in this file are poor in my opinion, in the case
of ForceHash option it only says:
"ForceHash "sha256"; // hashmethod used for expected hash: sha256,
sha1 or md5sum"
It doesnt say what will happen if the expected hash is unavaible-
maybe it will just use weaker hash as fallback? I think that issues
regarding security should be descriped clearly and exhaustively. Many
people like me are not coders and dont understand source code :(
Does anyone know if this issue is descriped somewhere in official
documentation? Either with ForceHash or without that option (default
behavior)
Reply to: