[Pkg-gnupg-maint] Bug#559458: kgpg: default selection is considered weak
Thijs Kinkhorst
thijs at debian.org
Fri Jun 18 07:48:52 UTC 2010
On Thu, June 17, 2010 18:39, Daniel Leidert wrote:
> This issue is only present in Debian stable/Lenny. Version 1.4.10 of
> GnuPG prefers SHA-256 over SHA-1. My question to the security team:
> Should this be backported to Lenny? I don't have a patch for this atm -
> we need to search the upstream VCS.
My take on the SHA-1 issue is as follows.
SHA-1 is not broken in any practical way. It is true that the first cracks
have started to appear in it, which makes it desirable to select an
alternative without those cracks when that's opportune, in order not to be
caught in too big a mess when actual attacks start to appear. However,
there's no need to currently consider SHA-1 usage insecure. I consider it
'deprecated', like with code, in the sense that it still works but it's
more future-proof to use something else.
There's also the practical problem that not all OpenPGP-implementations
are equally charmed by hash algorithms other than SHA-1. Following the
normal release cycle gives more time to get these problems resolved.
Concluding, no backporting to stable needed. The new algorithm defaults
will reach our users through the normal release cycle.
Cheers,
Thijs
More information about the Pkg-gnupg-maint
mailing list