https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
--- Comment #19 from Kevin A. McGrail <kmcgr...@apache.org> --- Well it's not my intent to take anyone by surprise. This announcement is the same information that was included in 3.4.3 just carried forward to 3.4.4 based on requests to stop using SHA-1 checksums. Some PMC members have raised flags and I'd like them to have the opportunity to discuss and see if they can determine there is no security risk and if a variance request makes sense. I'm a 0 on that effort and 3.4.2 was release in 2018 with 3.4.1 in 2015. Are there command line parameters to ignore the sums with 3.4.0 & 3.4.1 that we can recommend people use? An unofficial channel could also just repackage the rules and provide a sha-1 sig if there is demand for it. I have updated the verbiage on the index and news page on the website. I'm not the only one to refer to them as signatures though (https://en.wikipedia.org/wiki/SHA-1) I have a reminder from Dec on my to-list to stop sha-1 checksums and will lead the effort with SA Sysadmins to implement it. Anything I missed, Sidney? -- You are receiving this mail because: You are the assignee for the bug.