https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
--- Comment #16 from RW <rwmailli...@googlemail.com> --- There are some cases were hash files could be used for authentication, for example, someone might download one via HTTPS to verify a tarball from a shared insecure cache. Clearly those rules apply to the rule tarball on this page: http://spamassassin.apache.org/downloads.cgi There are no SHA-1 or MD5 hash files there for the rule tarball, it's already compliant. The URLs used by sa-update are part of a private interface that isn't exposed to the public (unless they dig around in the internals), and where the security of the hashes is irrelevant. To apply the same rules here is stretching the letter of the law and ignoring its spirit IMO. -- You are receiving this mail because: You are the assignee for the bug.
