[Bug 7596] Update distribution to satisfy new Apache policies, including replacing SHA-1 checksums with SHA-256 or SHA-512

bugzilla-daemon Thu, 23 Aug 2018 12:04:10 -0700

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7596


John Hardin <jhar...@impsec.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jhar...@impsec.org

--- Comment #5 from John Hardin <jhar...@impsec.org> ---
(In reply to Kevin A. McGrail from comment #4)
> Note, I'm confirming the exact sha1 and sha256 behavior for rules updates. 
> We'll be creating both for at least the near future since we are
> cryptographically verifying updates anyway the sha-1 risk is infinitesimally
> low IMO.

I would suggest that (in new code) if both are available then both should be
checked and should both verify the content. At some point in the future we can
completely disable SHA-1 generation and verification.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7596] Update distribution to satisfy new Apache policies, including replacing SHA-1 checksums with SHA-256 or SHA-512

Reply via email to