https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
--- Comment #11 from Kevin A. McGrail <kmcgr...@apache.org> --- My apologies for calling it a sig instead of a sum. That is clearly wrong and me just being lazy. What is important is that sa-update's use of a combination of GPG signature and hash sum was part of the reason we got the ASF extension on this policy previously. However, it's not permitted to use md5 or sha1 to checksum and publish the veracity of a release. Our rules are considered releases and I can't show there is no risk. -- You are receiving this mail because: You are the assignee for the bug.
