Yesterday I overhauled my Debian package-hosting repository, in response to user-complaints.
I started down the rabit hole due to:
W: No Hash entry in Release file /.._._Release which is considered strong enough for security purposes
I fixed that by changing my hashes from SHA1 to SHA256 + SHA512, but I was only making a little progress, due to the more serious problem, my repository-signing key was DSA-based and "small". I replaced it with a modern key, then changed how I generate my packages and all is well.
In the past I was generating the
Release files manually, via a silly shell-script. Anyway here is my trivial
Makefile for making the per-project and per-distribution archive, no doubt it could be improved:
all: repo clean: @rm -f InRelease Packages Sources Packages.gz Sources.gz Release Release.gpg Packages: $(wildcard *.deb) @apt-ftparchive packages . > Packages 2>/dev/null @gzip -c Packages > Packages.gz Sources: $(wildcard *.tar.gz) @apt-ftparchive sources . > Sources 2>/dev/null @gzip -c Sources > Sources.gz repo: Packages Sources @apt-ftparchive release . > Release @gpg --yes --clearsign -o InRelease Release @gpg --yes -abs -o Release.gpg Release
In conclusion, in the unlikely event you're using my packages please see GPG-instructions. I've also hidden any packages which were solely for Squeeze and Wheezy, but they continue to exist to avoid breaking links.