Rejecting SHA1-signed repositories by default (Ubuntu edition)

Hi, as previously (sort of) announced I want to turn off SHA1 on January 1st by default in apt (in the 1.2 and 1.3 series xenial/yakkety ship). We already turned this off for fields inside the (meta) index files, this step now involves rejecting SHA1-based GPG signatures as well. Now, we need to do this a bit earlier in our development releases. My proposal is to basically start this in the next few days with 1.4~beta1 in unstable and zesty. The idea is that SHA1 gets rejected by default, but the error may be lowered to a warning instead. I do not intent to allow lowering it to no notice at all - that would be unresponsible (and a new feature). Once we have done that in zesty, we can do the same thing for the previously announced Jan 1st date for xenial and yakkety; possibly delaying the xenial one slightly. There will be an upstream thread in the Debian lists discussing the non-Ubuntu related stuff as well. Opinions welcome. -- Debian Developer - deb.li/jak | jak-linux.org - free software dev When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to ('inline'). Thank you.