Jonathan Kamens 86 47Jan 1
#TechIsShitDispatch
It's been more than a year since #Debian #Linux deprecated the insecure #SHA1 hash algorithm in #APT repositories.
The #Keybase, #Slack, and #Dropbox repositories (I'm sure among others) are still using SHA1, and therefore for over a year they have not worked in Debian without changing the default APT policies to allow them.
I know Slack knows about this, because I told them. A year ago.
Why haven't they upgraded the security on their repository?
Seriously, wtf?
#infosec
Show threadJonathan Kamens 86 47Jan 1
Note that even #Ubuntu stopped trusting SHA1 hashes for APT repositories in 25.04 (plucky) which was released over eight months ago.
And can we talk about the fact that the KeyBase APT repository still uses the host name "*prerelease*.keybase.io" and the Slack APT repository is still stored under "jessie"?
Sheesh.
Show threadJonathan Kamens 86 47
This problem means people on current #Debian or Debian-derived #Linux systems who have #Slack, #Keybase, or #Dropbox installed via the package manager (i.e., not a Snap) *are not getting updates* to those packages, including both functional and security updates.
Since Slack is an Electron app, i.e., it has an install of Chromium bundled into it, and Chromium gets regular security patches, the version of Slack they have certainly has security vulnerabilities in it.
#infosec
Jan 1 at 10:25pmWeb