Ubuntu
apticron package

apticron won't stop complaining about weak digest algorithm

Bug #1577427 reported by Jonathan Kamens
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apticron (Ubuntu)
New
Undecided
Unassigned

Bug Description

Getting these in email every night from cron when apticron runs:

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)

I understand that Google really should fix their repository not to use a weak digest algorithm, but there's nothing I can do about that, and in the meantime, the emails from apticron are just useless noise. Please make them stop.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apticron 1.1.58ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Mon May 2 10:31:54 2016
InstallationDate: Installed on 2016-01-16 (107 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
PackageArchitecture: all
SourcePackage: apticron
UpgradeStatus: Upgraded to xenial on 2016-04-28 (4 days ago)

Revision history for this message
Jonathan Kamens (jik) wrote :
Revision history for this message
Thomas Ward (teward) wrote :

I am not an apticron expert, but I don't believe this is an apticron bug - this is an issue where apt and apt-get no longer permits weak-hash signatures and throws those warnings. I am not marking this as Invalid, but I am fairly certain this is more a support request than a bug report, in its current form (there is a way to disable the signature check in apt, but it's not something I would recommend, if you want to make sure you get valid packages and such)

Revision history for this message
Jonathan Kamens (jik) wrote :

First of all, your language, "...apt and apt-get no longer permits [sic] weak-hash signatures" is incorrect. The weak signatures are still _permitted_; they just generate a warning.

Second, this _is_ an apticron bug in the sense that warnings the user can't do anything about that do not actually impact functionality should be suppressed, or at the very least there should be a configurable option to suppress them.

It is not a best practice for a program to generate warnings every single day that have no functional impact and the user can't do anything about. This wastes the user's time and tends to cause the user to ignore _other_ warnings that user can and should so something about.

Adding a setting to apticron.conf to suppress these warnings, with the setting disabled by default, would be sufficient to address this bug.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.