https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
--- Comment #10 from Henrik Krohns <apa...@hege.li> --- Let me fully reiterate: I object to calling checksums "signatures", which they are not. It simply creates confusion. Apache has it correct https://www.apache.org/dev/release-distribution#sigs-and-sums: .asc for a (ASCII-armored) PGP _signature_ .sha1 for a SHA-1 _checksum_ - Checksums are file integrity checks, nothing more - Signatures verify authenticity cryptographically As already mentioned here, SHA-whatever makes no difference for security. It's simply a file integrity check. PGP is used for verification. I also do not see anything in that Apache policy that would affect how sa-update does it's job. It's not related to software artifacts or any .apache.org site. The sa-update rules are not even hosted on ASF infra. That said, I have no vote either way as it makes no difference to anything. It just seems a big hassle about nothing. But it's a good thing if it makes people upgrade some installations. -- You are receiving this mail because: You are the assignee for the bug.
