https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
--- Comment #21 from Henrik Krohns <apa...@hege.li> --- sa-update thankfully has things very clear: "sa-update by default will verify update archives by use of SHA256 and SHA512 checksums and GPG signature. SHA* hashes can verify whether or not the downloaded archive has been corrupted, but it does not offer any form of security regarding whether or not the downloaded archive is legitimate (aka: non-modifed by evildoers). GPG verification of the archive is used to solve that problem." Debian/Ubuntu already have 3.4.2 and even RedHat seems to be getting SHA256 support, so hopefully will be good there: https://bugzilla.redhat.com/show_bug.cgi?id=1787382 -- You are receiving this mail because: You are the assignee for the bug.
