Ubuntu

Ubuntu hasn't re-signed its old-releases repos to SHA-256?

Asked by Andrew

In Xenial, Ubuntu decided to deprecate the use of SHA-1 hashes in APT.
https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/

This change came with the impressive and well considered transition strategy of completely disallowing users to bypass the new check that sees any SHA-1 hashed repo not loaded.

So my question is: Why has Ubuntu itself not re-signed all of their repos to SHA-256?

http://old-releases.ubuntu.com/

I'm trying to re-construct an environment from years ago (Edgy to be precise) and all I'm getting is "The repository is insufficiently signed by key (weak digest)" error messages with no way to avoid them but to go back to the dark ages and manually download a .DEB, install it and manually resolve dependencies.

Get it together.

Andrew

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

The revocation of SHA-1 as trusted hash algorithm should affect only Ubuntu xenial and later.
What exactly are you doing (and which program and version are you using) to receive such error message?

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#2

Edgy is dead and gone my friend. I suggest you wipe it off and do a clean install of Xenial. Xenial is LTS and supported til April 2021

Revision history for this message
Andrew (theqacollective) said : 		#3

I am trying to install old repos in a docker container to get an old
program to work - this makes the most sense to try before attempting a
complete rewrite of of the code. Indeed this is perfect for docker because
it's old crap but contained entirely within a docker container. So I end up
getting it working, I can easily publish the docker container and nobody
will have to go through what I'm encountering.

However, with Xenial it's no longer a matter of simply adding the edgy repo
to my sources.list anymore - as APT refuses to download the legacy SHA-1
signed repo list!

It is infuriating that there is no way for a knowledgeable user to bypass
this new APT behaviour.

Andrew

On Friday, March 10, 2017, actionparsnip <
<email address hidden>> wrote:

> Your question #542838 on Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+question/542838
>
> Status: Needs information => Answered
>
> actionparsnip proposed the following answer:
> Edgy is dead and gone my friend. I suggest you wipe it off and do a
> clean install of Xenial. Xenial is LTS and supported til April 2021
>
> --
> If this answers your question, please go to the following page to let us
> know that it is solved:
> https://answers.launchpad.net/ubuntu/+question/542838/+confirm?answer_id=1
>
> If you still need help, you can reply to this email or go to the
> following page to enter your feedback:
> https://answers.launchpad.net/ubuntu/+question/542838
>
> You received this question notification because you asked the question.
>

Revision history for this message
Launchpad Janitor (janitor) said : 		#4

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Andrew (theqacollective) said : 		#5

repos still need re-signing by canonical or whomever should/can do this. otherwise, the vast majority of archival data held in existing repos or archive repos is worthless due to this short-sighted change in apt behaviour

Revision history for this message
Manfred Hampl (m-hampl) said : 		#6

The problem that you encounter arises only if you access the old, archived repositories from a current Ubuntu version.
Accessing the old repositories by the programs delivered in an Ubuntu system with the related (old, outdated) Ubuntu version will work without problem.

It is the characteristic of an archive that it shows the status as it was at a certain moment. I do not think that there is a plan to change old archived information be re-signing the repository information.

If you want to discuss that with the developers, you are free to create a bug report.

Can you help with this problem?

Provide an answer of your own, or ask Andrew for more information if necessary.

To post a message you must log in.