Remove sha1 from main Release file

[paulrapa]

This will remove the SHA1sum block from the Release file.

This is due to Ubuntu 16.04 classifying SHA1 as no longer trustworthy.

I have tested this on a 16.04 and a 14.04 box and both are able to retrieve packages.

[domcleal]

Why remove it entirely, is it causing a problem or warning? I'm curious why MD5 is OK if SHA1 needs to be removed.

[javierbertoli]

@domcleal, here is the announce of SHA1 being phased out completely on Debian repos on January 1, 2017.

Also, on 23 February 2017 a collision attack against SHA1 was published.

Debian and Ubuntu's apt-get tool won't accept Release/Packages files signed with SHA1 keys at all.

[mmoll]

@javierbertoli I think apt and friends will happily accept such repos, as long as the files are also signed with SHA256.

[domcleal]

Sure, I'm aware of the issues with SHA-1 but older distros or clients may still use it, so I was trying to ascertain why it needs to be removed (and why MD5 doesn't).

Isn't it OK to leave it if the SHA-2 checksum is present? The Debian wiki page states that it's only a problem if the SHA-2 signatures are missing, which they aren't.