Hi!

Is this ticket still open by mistake?

The code from https://salsa.debian.org/apt-team/apt/-/commit/bd4a8f5
appears to be still present in repo (with minor changes).

The detection of weak hash and one of improved warning messages can
be demonstrated in apt 2.6.1 with following test scenario.



1. On a server machine with "trivial archive" repo layout, prepare
"Release" file with just md5sum checksums:

acerion@server:/tmp/from_host/12$ dpkg-scanpackages -h md5 ./ /dev/null > Packages
acerion@server:/tmp/from_host/12$ gzip -9 --stdout Packages > Packages.gz acerion@server:/tmp/from_host/12$ apt-ftparchive -o="APT::FTPArchive::SHA1=false" -o="APT::FTPArchive::SHA256=false" -o="APT::FTPArchive::SHA512=false" release . > Release
acerion@server:/tmp/from_host/12$ cat Release
Date: Tue, 08 Apr 2025 18:11:40 +0000
MD5Sum:
26b1c5ab51bca8225937d0df6c5347b0 19849 Packages
b2aa6c81ade4d1e780300f80c3fc0c5f 7200 Packages.gz
0de70ee825ae9373e68dc94147406ce3 38 Release

2. On a client machine point apt to your test server

acerion@debian:~$ grep CODENAME /etc/os-release
VERSION_CODENAME=bookworm
acerion@debian:~$ apt --version
apt 2.6.1 (amd64)
acerion@debian:~$ cat /etc/apt/sources.list
deb [trusted=yes] http://10.0.0.237/12 ./

acerion@debian:~$

3. On a client machine update packages' list

acerion@debian:~$ sudo apt update
Ign:1 http://10.0.0.237/12 ./ InRelease
Get:2 http://10.0.0.237/12 ./ Release [228 B]
Ign:3 http://10.0.0.237/12 ./ Release.gpg
Get:4 http://10.0.0.237/12 ./ Packages [7,200 B]
Fetched 7,428 B in 0s (349 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: No Hash entry in Release file /var/lib/apt/lists/partial/10.0.0.237_12_._Release which is considered strong enough for security purposes



Kamil

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)