I was a little more definitive on this comment than I should have been, my apologies.
Any comments on my response? -------- Forwarded Message -------- Subject: [Bug 7596] Update distribution to satisfy new Apache policies, including replacing SHA-1 checksums with SHA-256 or SHA-512 Date: Fri, 24 Aug 2018 20:41:39 +0000 From: bugzilla-dae...@bugzilla.spamassassin.org To: dev@spamassassin.apache.org https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7596 --- Comment #7 from Kevin A. McGrail <kmcgr...@apache.org> --- Just confirmed that code for the support to use sha256 by default for rule signatures and that sha1 is used as secondary if sha256 does not exist IS in 3.4 and trunk. Rules updates will continue to create sha1 and sha256 signatures along with the cryptographic signature. For 3.4.2 code release, we'll add a sha256 and/or sha512 signature per the new policy and NOT publish a sha1 signature. dropping sha1 support for rule publication is not currently under consideration due to legacy installations but we will mention that it's a concern to upgrade to 3.4.2+ in the near future. -- You are receiving this mail because: You are the assignee for the bug.
