On 30/10/2025 21:47 EET Patrick Cernko via dovecot <dovecot@dovecot.org> wrote:
Hi Aki, hi Timo, hi list,
On 10/29/25 09:21, Aki Tuomi via dovecot wrote:
Binary packages in https://repo.dovecot.org/
following the instructions for Debian Trixie results in:
Warning: No Hash entry in Release file /var/lib/apt/lists/partial/repo.dovecot.org_ce-2.4-latest_debian_trixie_dists_trixie_InRelease which is considered strong enough for security purposes Error: The repository 'https://repo.dovecot.org/ce-2.4-latest/debian/trixie trixie InRelease' provides only weak security information. Notice: Updating from such a repository can't be done securely, and is therefore disabled by default. Notice: See apt-secure(8) manpage for repository creation and user configuration details.
The InRelease is missing SHA256/SHA512 hashes and only has MD5Sum & SHA1 hashes, see https://wiki.debian.org/DebianRepository/Format#MD5Sum.2C_SHA1.2C_SHA256 ("Clients may not use the MD5Sum and SHA1 fields for security purposes, and must require a SHA256 or a SHA512 field.").
Could you please add at least SHA256 hashes? Otherwise, the repo is useless for Trixie.
Also found: https://doc.dovecot.org/latest/ and https://doc.dovecot.org/ still redirect to .../2.4.1/ instead of .../2.4.2/ !
Best regards,
Patrick Cernko <pcernko@mpi-klsb.mpg.de> +49 681 9325 5815 Joint Scientific IT and Technical Service Max-Planck-Institute für Informatik & Software Systems
Hi!
The hashing issue should be fixed, the redirect issue is unfortunate over aggressive caching issue, you need to clear your local browser cache to fix that. We have fixed it already on server-side.
Aki