Hi, On Wed, 2024-06-12 at 09:18 +0200, Gard Spreemann wrote: > Russ Allbery <[email protected]> writes: > > Ansgar 🙀 <[email protected]> writes: > > > In addition it reintroduces trust in weak cryptographic hashes which > > > effort was spent to remove. > > > > I think this concern is significantly overblown and attempted to explain > > precisely why I believe that in my security review. I'll also point out > > that using SHA-256 hashes in *.dsc files does not somehow mean that Debian > > is no longer trusting SHA-1 hashes, given that most Debian development is > > done in Git using SHA-1 hashes. > > > > I think we're all agreed that switching Git to SHA-256 hashes would be > > great and, once that work is done, we should take advantage of it, > > including in tag2upload. > > I have not more than skimmed the architecture, so forgive me if this > makes no sense: Could this fear (whether overblown or not) not be > alleviated by including in the tag2upload structured metadata a SHA-256 > hash of all the files in the given commit?
Yes, that was suggested as a compromise in the past, but tag2upload upstream was not interested in having any changes. Ansgar
