<feed xmlns='http://www.w3.org/2005/Atom'>
<title>apt/debian/default-sequoia.config, branch main</title>
<subtitle>Debians commandline package manager</subtitle>
<id>https://git.kalnischkies.de/apt/atom?h=main</id>
<link rel='self' href='https://git.kalnischkies.de/apt/atom?h=main'/>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/'/>
<updated>2025-04-25T21:07:07Z</updated>
<entry>
<title>Update Sequoia crypto policy</title>
<updated>2025-04-25T21:07:07Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2025-04-25T18:03:52Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=0989275c2f7afb7a5f7698a096664a1035118ebf'/>
<id>urn:sha1:0989275c2f7afb7a5f7698a096664a1035118ebf</id>
<content type='text'>
Move our cut-offs to February to align with Sequoia, and cut-off more:

- 2024-02: DSA keys retroactively (align with GnuPG config)
- 2026-02: SHA224 hashes
- 2028-02: Brainpool keys (align closer with GnuPG backend)
- 2030-02: RSA2048 keys

These algorithms will not be valid starting on those cut-off dates.

Gbp-Dch: full
</content>
</entry>
<entry>
<title>Extend v3 subkey expiry to 2026, owing to OBS use</title>
<updated>2025-01-01T12:28:57Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2025-01-01T12:17:00Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=3c4d0d25e1c35af16b66a4dee48fb3b0ed9d50a5'/>
<id>urn:sha1:3c4d0d25e1c35af16b66a4dee48fb3b0ed9d50a5</id>
<content type='text'>
SUSE's Open Build Service is signing multiple repositories using
v3 signing keys.
</content>
</entry>
<entry>
<title>debian: Add default policy to allow SHA-1 self-signatures until 2026</title>
<updated>2024-12-22T22:52:05Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-12-20T10:21:29Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=153653d449efe121487641303d43ac523b9b17fb'/>
<id>urn:sha1:153653d449efe121487641303d43ac523b9b17fb</id>
<content type='text'>
Many repositories still have SHA-1 self-signatures, and they are not
security relevant for APT repositories in the first place since we
do not use a web of trust model, but rather a set of trusted keyrings,
and the subkey can essentially be always considered trusted even if
it cannot be verified.
</content>
</entry>
</feed>
