Package: src:rnp Version: 0.14.0-6 Control: forwarded -1 https://github.com/rnpgp/rnp/issues/1281
rnp currently accepts signatures over weak or untrustworthy
cryptographic primitives.
At the moment, there is no API for adjusting which mechanisms are
acceptable, and all implemented algorithms are accepted, including (for
example) signatures from very small RSA keys, or made over known-broken
digests like MD5.
This is probably not a responsible way to ship the library. maybe we
want to follow thunderbird's approach of baking in a more strict policy
via patches until upstream offers an API that lets the library user
select their desired policy.
--dkg
signature.asc
Description: PGP signature

