Comment 56 for bug 1558331

Julian Andres Klode (juliank) wrote :

@Jen There is no workaround. The small number of affected repos should be fixed instead. Even of the reported 20 cases in https://wiki.debian.org/Teams/Apt/Sha1Removal, only 4/5 instances are broken, the other 16 only emit a warning. Out of the Google repositories, the only active ones are Chrome and (somewhat) MusicManager. Talk Plugin and Earth are *dead* (last update years ago). So that leaves you with Google Music Manager, Spider Oak One, and the severely broken Cuda. Cuda is a real clusterfuck, it uses a *very* weak hash algorithm (only MD5).

I fully expect all broken repositories to be fixed within a few months after xenial's release, if not before. All affected parties are informed about that.

And the others that are being warned about *will* break in 2017. There's no way back. There might be some further issues with uncooperative repository providers, but that's a good thing too: If they don't manage to upgrade their repository security until 2017, can you really trust them?

A workaround might come at a later time, as there are some special use cases that need that (archived repositories), but this needs some careful designing. It will not be part of xenial, and we must make very sure that it's as hard to use as possible and still breaks any normal use, as otherwise users will just override the errors and risk being attacked.

So be happy that the few things do not work now, this gives a better incentive for negligent repository owners to fix their broken repositories and prevents users from allowing themselves to be attacked.