[Bug 1562733] [NEW] apt signature requierements prevent updates from some repositories

Eugene Crosser 1562733 at bugs.launchpad.net
Mon Mar 28 07:46:13 UTC 2016 

Public bug reported:

Since xenial updated the requirements for the strength of PGP signatures
of packages, packages from some repositories are no longer updated. Apt-
get update reports these errors:

E: Failed to fetch http://[...]/Release  No Hash entry in Release file /var/lib/apt/lists/partial/[...] which is considered strong enough for security purposes
E: Some index files failed to download. They have been ignored, or old ones used instead.

While the motivation for the change is valid, the result is a potential
security problem, as the new versions of the packages that may fix
recently discovered vulnerabilities are not automatically installed.

One less important but unfortunate effect is a scary message that is
displayed to the user, without clear explanation that the problem needs
to be addressed by the repository owner.

Related: Bug #1558331

** Affects: apt (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: xenial

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1562733

Title:
  apt signature requierements prevent updates from some repositories

Status in apt package in Ubuntu:
  New

Bug description:
  Since xenial updated the requirements for the strength of PGP
  signatures of packages, packages from some repositories are no longer
  updated. Apt-get update reports these errors:

  E: Failed to fetch http://[...]/Release  No Hash entry in Release file /var/lib/apt/lists/partial/[...] which is considered strong enough for security purposes
  E: Some index files failed to download. They have been ignored, or old ones used instead.

  While the motivation for the change is valid, the result is a
  potential security problem, as the new versions of the packages that
  may fix recently discovered vulnerabilities are not automatically
  installed.

  One less important but unfortunate effect is a scary message that is
  displayed to the user, without clear explanation that the problem
  needs to be addressed by the repository owner.

  Related: Bug #1558331

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1562733/+subscriptions

More information about the foundations-bugs mailing list