https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618

--- Comment #19 from Kevin A. McGrail <kmcgr...@apache.org> ---
Well it's not my intent to take anyone by surprise.  This announcement is the
same information that was included in 3.4.3 just carried forward to 3.4.4 based
on requests to stop using SHA-1 checksums.

Some PMC members have raised flags and I'd like them to have the opportunity to
discuss and see if they can determine there is no security risk and if a
variance request makes sense.  I'm a 0 on that effort and 3.4.2 was release in
2018 with 3.4.1 in 2015.

Are there command line parameters to ignore the sums with 3.4.0 & 3.4.1 that we
can recommend people use?

An unofficial channel could also just repackage the rules and provide a sha-1
sig if there is demand for it.

I have updated the verbiage on the index and news page on the website.  I'm not
the only one to refer to them as signatures though
(https://en.wikipedia.org/wiki/SHA-1)

I have a reminder from Dec on my to-list to stop sha-1 checksums and will lead
the effort with SA Sysadmins to implement it.

Anything I missed, Sidney?

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to