https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7596
--- Comment #8 from John Hardin <jhar...@impsec.org> --- (In reply to Kevin A. McGrail from comment #7) > Just confirmed that code for the support to use sha256 by default for rule > signatures and that sha1 is used as secondary if sha256 does not exist IS in > 3.4 and trunk. Oh, good. I'd suggest again: if both are present we should validate both. It sounds like that would be a minor code change. It's been my position for about 20 years now that a lot of the panic over hash attacks could have been minimized by using multiple hash algorithms for validation. -- You are receiving this mail because: You are the assignee for the bug.
