https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
--- Comment #9 from Kevin A. McGrail <kmcgr...@apache.org> --- I have not done a threat model on the weakness in sha1 sig's and why their weakness presents a risk either to rules or distributions but the policy[1] is very clear. [1] The policy is here: https://www.apache.org/dev/release-distribution#sigs-and-sums The March deadline was to give distros and administrators time to come to terms with this problem. -- You are receiving this mail because: You are the assignee for the bug.
