On Fri, 24 Aug 2018, Kevin A. McGrail wrote:
I was a little more definitive on this comment than I should have been,
my apologies.
Any comments on my response?
How far back does the SHA256 support go? Would 3.3.x or 3.4.0 be broken by
dropping the SHA1 sigs?
-------- Forwarded Message --------
Subject: [Bug 7596] Update distribution to satisfy new Apache policies,
including replacing SHA-1 checksums with SHA-256 or SHA-512
Date: Fri, 24 Aug 2018 20:41:39 +0000
From: bugzilla-dae...@bugzilla.spamassassin.org
To: dev@spamassassin.apache.org
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7596
--- Comment #7 from Kevin A. McGrail <kmcgr...@apache.org> ---
Just confirmed that code for the support to use sha256 by default for rule
signatures and that sha1 is used as secondary if sha256 does not exist IS in
3.4 and trunk.
Rules updates will continue to create sha1 and sha256 signatures along with the
cryptographic signature.
For 3.4.2 code release, we'll add a sha256 and/or sha512 signature per the new
policy and NOT publish a sha1 signature.
dropping sha1 support for rule publication is not currently under consideration
due to legacy installations but we will mention that it's a concern to upgrade
to 3.4.2+ in the near future.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Today: the 1939th anniversary of the destruction of Pompeii
