Hi Aki, hi Timo, hi list,
On 10/29/25 09:21, Aki Tuomi via dovecot wrote:
Binary packages in https://repo.dovecot.org/
following the instructions for Debian Trixie results in:
Warning: No Hash entry in Release file /var/lib/apt/lists/partial/repo.dovecot.org_ce-2.4-latest_debian_trixie_dists_trixie_InRelease which is considered strong enough for security purposes Error: The repository 'https://repo.dovecot.org/ce-2.4-latest/debian/trixie trixie InRelease' provides only weak security information. Notice: Updating from such a repository can't be done securely, and is therefore disabled by default. Notice: See apt-secure(8) manpage for repository creation and user configuration details.
The InRelease is missing SHA256/SHA512 hashes and only has MD5Sum & SHA1 hashes, see https://wiki.debian.org/DebianRepository/Format#MD5Sum.2C_SHA1.2C_SHA256 ("Clients may not use the MD5Sum and SHA1 fields for security purposes, and must require a SHA256 or a SHA512 field.").
Could you please add at least SHA256 hashes? Otherwise, the repo is useless for Trixie.
Also found: https://doc.dovecot.org/latest/ and https://doc.dovecot.org/ still redirect to .../2.4.1/ instead of .../2.4.2/ !
Best regards,
Patrick Cernko <pcernko@mpi-klsb.mpg.de> +49 681 9325 5815 Joint Scientific IT and Technical Service Max-Planck-Institute für Informatik & Software Systems