libdvdcss2 package signature is ignored on recent Debian versions
Hi,
I tried to install libdvdcss2 following the instructions https://www.videolan.org/developers/libdvdcss.html
However, after adding the key and doing an apt-get update, I have the following warning:
W: https://download.videolan.org/pub/debian/testing/Release.gpg: Signature by key 8F0845FE77B16294429A79346BCA5E4DB84288D9 uses weak digest algorithm (SHA1)
This implies that the signature is ignored on recent versions of Debian. The reason seems to be https://wiki.debian.org/Teams/Apt/Sha1Removal. This is a security problem because the package could be altered by an attacker during the plain http download.
I think these packages should be signed with SHA256 or SHA512 as described here https://wiki.debian.org/Teams/Apt/Sha1Removal#Fixing_half-broken_repositories. Alternatively, to mitigate the risk, it would be better to instruct users on https://www.videolan.org/developers/libdvdcss.html to use https to access the mirror (this seems to work, and just requires the installation of apt-transport-https).
I also have one last comment about that page: the key http://download.videolan.org/pub/debian/videolan-apt.asc should probably also be downloaded over https rather than http.
Thanks!