https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
Bug ID: 7618
Summary: Obtain variance to keep producing SHA-1 signatures for
rules
Product: Spamassassin
Version: unspecified
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Building & Packaging
Assignee: dev@spamassassin.apache.org
Reporter: kmcgr...@apache.org
Target Milestone: Undefined
Bug 7614 got hijacked for this issue. Recreating here.
KAM: Per https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7596, the policy
now is designed to move away from MD5 and SHA-1 to use SHA-256 or SHA-512.
We are now producing binary releases and rule releases with SHA-256 & SHA-512
signatures. For binary releases, we have stopped using SHA1 & MD5.
However, for rules, we would like approval to keep producing the SHA1 signature
along with a SHA-256 & SHA-512 signature.
This will allow older installations back to Apache SpamAssassin 3.3.3 to
continue to download and install our rule updates.
Please note that in addition to SHA-1, we also use a GPG signature fingerprint
that much match cryptographically in addition to the hash signature. We hope
the combination of these two signatures is suitable for a variance.
Can we continue to produce rules with SHA-1, SHA-256 & SHA-512 signatures as
long as it is also cryptographically signed?
Sidney: I'm +1 on doing this, however I think we should include plans for
phasing out use of SHA-1, which implies some end of life date for the older
versions of SpamAssassin that use it.
One thing that would make a difference in continuing with a variance - Does
SpamAssassin 3.3.3 have any option to accept rules if the SHA-1 hash matches
but another hash or digital signature does not match?
--
You are receiving this mail because:
You are the assignee for the bug.
