Stuart Prescott writes ("Re: no-strong-digests-in-dsc MBF"): > Given the hashes aren't used within Debian and can't be used reliably by > external parties either, it doesn't feel like a good use of anyone's time.
dgit uses the hashes in the .dsc, both during `dgit fetch' and during `dgit import-dsc'. Sponsorship workflows sometimes involve exchanging or signing only .dscs. But: I agree that this is not a release-critical bug. For old .dsc's (I assume we're not generating new ones) the security requirement is second preimage resistance for old documents. I think for .dscs this will be OK for a while yet. Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.