https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
--- Comment #15 from Kevin A. McGrail <kmcgr...@apache.org> --- (In reply to RW from comment #14) > (In reply to Kevin A. McGrail from comment #9) > > I have not done a threat model on the weakness in sha1 sig's and why their > > weakness presents a risk either to rules or distributions but the policy[1] > > is very clear. > > The wording is "SHOULD NOT supply a MD5 or SHA-1 checksum file", using the > terminology of RFC 2119: > > " SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that > there may exist valid reasons in particular circumstances when the > particular behavior is acceptable or even useful, but the full > implications should be understood and the case carefully weighed > before implementing any behavior described with this label." Agreed. The Mar 1 not very distant future warning is for when the policy goes from should not to must not so people are not caught off guard. -- You are receiving this mail because: You are the assignee for the bug.
