X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/e02c3a9ec2b2f7a8d4aecd70f2ecdae27c207aa9..c2fb49ca1783b9ea2dd8b7cb90a2284750076c65:/debian/NEWS

diff --git a/debian/NEWS b/debian/NEWS
index f82dedf41..67275f6e4 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,16 +1,20 @@
-apt (1.3~pre3+cmake1) experimental; urgency=medium
-
-  Early version of CMake based build system. Translations for the dselect
-  method and docbook guides are missing, just as the text docbook guides.
-
-  This is mainly intended for checking building, reproducibility, and
-  cross-compiling.
-
-  This is also the first release since 1999 that re-enabled a thread-local
-  _error. It was disabled by jgg back then due to glibc issues, but I really
-  hope those are fixed now.
-
- -- Julian Andres Klode <jak@debian.org>  Sat, 06 Aug 2016 21:56:19 +0200
+apt (1.4~beta1) unstable; urgency=medium
+
+  Support for GPG signatures using the SHA1 or RIPE-MD/160 hash
+  algorithms has been disabled. Repositories using Release files
+  signed in such a way will stop working. This change has been made
+  due to security considerations, especially with regards to possible
+  further breakthroughs in SHA1 breaking during the lifetime
+  of this APT release series.
+
+  It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous
+  behaviour by setting the options
+    APT::Hashes::SHA1::Weak "yes";
+    APT::Hashes::RIPE-MD/160::Weak "yes";
+  Note that setting these options only affects the verification of the overall
+  repository signature.
+
+ -- Julian Andres Klode <jak@debian.org>  Fri, 25 Nov 2016 13:19:32 +0100
 
 apt (1.2~exp1) experimental; urgency=medium