Yesterday I overhauled my Debian package-hosting repository, in response to user-complaints.
I started down the rabit hole due to:
W: No Hash entry in Release file /.._._Release which is considered strong enough for security purposes
I fixed that by changing my hashes from SHA1 to SHA256 + SHA512, but I was only making a little progress, due to the more serious problem, my repository-signing key was DSA-based and "small". I replaced it with a modern key, then changed how I generate my packages and all is well.
In the past I was generating the Release files manually, via a silly shell-script. Anyway here is my trivial Makefile for making the per-project and per-distribution archive, no doubt it could be improved:
all: repo
clean:
@rm -f InRelease Packages Sources Packages.gz Sources.gz Release Release.gpg
Packages: $(wildcard *.deb)
@apt-ftparchive packages . > Packages 2>/dev/null
@gzip -c Packages > Packages.gz
Sources: $(wildcard *.tar.gz)
@apt-ftparchive sources . > Sources 2>/dev/null
@gzip -c Sources > Sources.gz
repo: Packages Sources
@apt-ftparchive release . > Release
@gpg --yes --clearsign -o InRelease Release
@gpg --yes -abs -o Release.gpg Release
In conclusion, in the unlikely event you're using my packages please see GPG-instructions. I've also hidden any packages which were solely for Squeeze and Wheezy, but they continue to exist to avoid breaking links.