[solved] ubuntuzilla weak encryption is there---disable it?

[groze]

ubuntuzilla weak encryption is there a way to disable the notification for the ppas that I trust? (Yes, I know some Debian people don't trust PPA but some do. You can get a lot of good software in PPAs) Note, I am not asking about a Debian system. I am asking about the Ubuntu systems.

[Head_on_a_Stick]

https://wiki.debian.org/CreatePackageFromPPA

[groze]

I was asking about the Ubuntu flavor not Debian. Debian team is the cause of Signature by key xxxxxxxxxxxxx uses weak digest algorithm (SHA1) for Ubuntu flavors that why I am asking here. Actually, I know there is way to disable that notice. What I am asking is there a way to disable the notice per PPA this way you could still use PPAs that uses sha1 that you have trusted in the past. Once, the Debian team stops the SHA1 totally on Jan 1, 2017 a lot of Linux forms will be asking similar questions. In fact ubuntuzilla ppa claims they have upgrade their PPA to sha2 but it still shows it uses sha1 week encryption. So, there is a least one bug.

[dasein]

Note, I am not asking about a Debian system. I am asking about the Ubuntu systems.

Then it would seem that you're asking in the wrong place.

http://ubuntuforums.org/

[GarryRicketson]

Debian team is the cause of Signature by key xxxxxxxxxxxxx uses weak digest algorithm (SHA1) for Ubuntu flavors that why I am asking here.

I don't see how one can blame the Debian team, for the problems
that ubuntu has, but then I suppose one can blame any body they
want to, but that does not solve anything.
Rather then blaming every body else, maybe the "Ubuntu team", should
try solving their problem, I am sure they have forums and mailing
lists to discuss these sort of things.
It looks like Dasein all ready posted a link, so no need to do that
again.

Another thing, though , here it is mostly "Debian Users", we don't
have anything to do with the development, and that sort of thing,
if there is some kind of issue, or bug that needs to be worked on
they do have some mailing lists that are used by the developers
to discuss these kind of things.
https://lists.debian.org/
=================
https://lists.debian.org/devel.html

In fact ubuntuzilla ppa claims they have upgrade their PPA to sha2 but it still shows it uses sha1 week encryption. So, there is a least one bug.

I would report that to the "ubuntuzilla ppa" maintainers, there is nothing we can do about that here.
====================================
As for this:

Note to mod, I was trying to change my email but it won't let me, it thinks I am a spammer or thinks comcast is. I was just able to get my email back. I forgot about the Debian account I had. I can setup another email with comcast if that would work, instead of using outlook dot com emails. Thank you for looking into this.

HOWTO contact forum moderators/admins

In fact, it might be to your advantage to read this as well:
Forum guidelines. Please read before first post!

[stevepusser]

Though that particular Ubuntuzilla PPA is safe for Debian users, since it just packages the Mozilla static binaries into deb packages (somehting I could reproduce in a few minutes in yet another openSUSE Build Service repository, by the way), I would think that it could lead beginners to accept PPAs as a matter of course.

Anyway, you can get compiled dynamic binary Firefox backports from mozilla.debian.net, so I don't know why you would use a PPA to get the browser, anyway.

[groze]

I don't think some of you understand what I am talking about. I thought the Debian community was the place to go for this question. Here is what I am talking about https://wiki.debian.org/Teams/Apt/Sha1Removal because it also effect Debian based distros like Ubuntu, Lubuntu, Kubuntu and so one. Debian or any derivative really shouldn't have any control what PPAs do. The whole point of Linux is to use open source as much as possible? That should be up to the PPA administrators not Debian or any distro in my opinion.

The bugs already been reported again to ubuntuzilla just recently. I am not saying use PPA on Debian even though there is a way to do. I had read some disagreements on PPA use.


I guess you are saying I should contact Teams/Apt/ on how to disable the notice or allow sha1 ppas starting in January 2016 for Ubuntu,

[stevepusser]

Debian has absolutely nothing to do with the management of Launchpad or its PPAs, other than the source code for packages that get used. Nothing to do with the encryption of the repositories.

[groze]

Debian has absolutely nothing to do with the management of Launchpad or its PPAs, other than the source code for packages that get used. Nothing to do with the encryption of the repositories.

So you are saying Debian is not in charge of the Apt team. The apt team answers to no distro but wiki Debian allows them to put info on their website. https://wiki.debian.org/Teams/Apt/Sha1Removal


Anyway the issues is mute, I found a solution and still hope it will work on or after the January 1st.

[Head_on_a_Stick]

I found a solution

Please share your solution with the community.

[groze]

I found a solution

Please share your solution with the community.

Since you asked.
As I said I don't know if it will work after the 1st. It was a real simple fix. It still shows the warning message, now if ubuntuzilla PPA is not fixed by Jan 1, 2017 we will find out if this works.

This would be locate in sources.list file

Code: Select all

deb [trusted=yes] http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main

There is also a [trusted=no] option, I would wonder why someone would use a no option.

[stevepusser]

Isn't that just a rather old script that goes and gets the Mozilla package and bundles it? It's also not a Launchpad PPA, so how you can link it to apt or Debian is beyond me, being that it's just a script on SF. Real PPA repos are compliant with the new encryption standard.

Please mark this as SOLVED so no one else wastes their time with this.

[groze]

Isn't that just a rather old script that goes and gets the Mozilla package and bundles it? It's also not a Launchpad PPA, so how you can link it to apt or Debian is beyond me, being that it's just a script on SF. Real PPA repos are compliant with the new encryption standard.

You have over 7124 post and you waste you time with that response that doesn't even make any sense to me. I really hate to say this. You might want to read up on how apt & sources.list files work for Debian & other distros. For your info, I have used an Arch based distro (Not arch itself) , & OpenSuse distro and other distros as well. My understanding is apt won't work without a sources.list file.

[stevepusser]

Then please explain how this Sourceforge address that you provided is a Launchpad PPA:

Code: Select all

http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main

We all know how wonderful Sourceforge is for Windows packages...

you waste you time with that response that doesn't even make any sense to me.

(suppresses laughter) I don't understand many technical subjects either, but I don't argue with those that do.

Yes, I have many posts, but I usually try and do a bit of research online before shooting my mouth off, bud. And why use a PPA when you can get a Debian-built Firefox from mozilla.debian.net, anyway?

[groze]

Then please explain how this Sourceforge address that you provided is a Launchpad PPA:

Code: Select all

http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main

We all know how wonderful Sourceforge is for Windows packages...

Yes, I have many posts, but I usually try and do a bit of research online before shooting my mouth off, bud. And why use a PPA when you can get a Debian-built Firefox from mozilla.debian.net, anyway?

You might want to check out sourceforge it has a lot of Linux stuff. I won't post that here, because that might be considered advertising.

Debian & Ubuntu developers are now working together. Some developers even work on both systems. Yes, I have done my research. They didn't use to get along but decided it would be beneficial for both to work together. Read this on the web.

When you do a sudo apt-get update on Xubuntu or any Ubuntu flavor 16.04 LTS or above, You get this message:

W: http://downloads.sourceforge.net/projec ... /InRelease: Signature by key xxxxxxxxxxxxx uses weak digest algorithm (SHA1)

This will also effect Debian Stretch as well. When you use a PPA or another 3rd party repository. I know Debian frowns on PPAs but remember Ubuntu is based off of Debian. (That the best way I could describe it). Some people even think Linux Mint-all desktops are frankendebians I let others debate that. Apt was developed by Debian from what I read.

If you recall, I said this in my first post.

I am not asking about a Debian system. I am asking about the Ubuntu system

I hope this explains it better. I did add some extra stuff.