On 18-08-07 02:29 PM, bugzilla-dae...@bugzilla.spamassassin.org wrote:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7596
Bug ID: 7596
Summary: Update distribution to satisfy new Apache policies,
including replacing SHA-1 checksums with SHA-256 or
SHA-512
Product: Spamassassin
Version: 3.4 SVN branch
Hardware: PC
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P2
Component: Building & Packaging
Assignee: dev@spamassassin.apache.org
Reporter: sid...@sidney.com
Target Milestone: Undefined
See https://www.apache.org/dev/release-distribution#sigs-and-sums
We need to make sure that we confirm to the current release distribution
policies before our next release.
Can we have some clarity on 'intentions' in this regard?
Working on our modified sa-update program, and would like to know what
version is road mapped for SHA256, and because of the need to support
both legacy and new versions, want to build in support for both methods,
and want to confirm that the extension will be .sha256 vs .sha1 file
naming conventions.
Might want to suggest that a 'bridge' version might be considered, which
can support .sha1 files as a fallback, during transition, with a version
where .sha1 will no longer be supported.
Giving lead time will assist developers and custom 'channel' suppliers.