https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
--- Comment #22 from Sidney Markowitz <sid...@sidney.com> --- (In reply to Kevin A. McGrail from comment #19) > Some PMC members have raised flags and I'd like them to have the opportunity > to discuss and see if they can determine there is no security risk and if a > variance request makes sense. I'm a 0 on that effort and 3.4.2 was release > in 2018 with 3.4.1 in 2015. I didn't see any flags raised since the decisions that were made in September 2018. Nobody objected to the March 1, 2020 date that was announced in the release of 3.4.3 and 3.4.4. The only objection was to point out that the word "signature" should be "checksum", but that doesn't invalidate the announcement. > > Are there command line parameters to ignore the sums with 3.4.0 & 3.4.1 that > we can recommend people use? No. There is one to ignore the GPG signature, but sa-update before 3.4.2 will exit with a channel failed message if no SHA-1 checksum file can be downloaded. This will make March 1, 2020 a hard deadline for running sa-update in versions older than 3.4.2. The only workaround would be to patch sa-update like RedHat is proposing to do in https://bugzilla.redhat.com/show_bug.cgi?id=1787382 BTW, I don't think RedHat's approach is a good idea. We have made sure that rule updates work with old versions, including conditionals as necessary, but with this change the backwards compatibility will no longer be tested and IMO should not be counted on. > An unofficial channel could also just repackage the rules and provide a > sha-1 sig if there is demand for it. > That's the right way to do it if anyone really wants to set one up. However, that will still depend on rule developers making sure that the rules stay backward compatible. Can we count on sufficient testing for that? > I have updated the verbiage on the index and news page on the website. I'm > not the only one to refer to them as signatures though > (https://en.wikipedia.org/wiki/SHA-1) Nope, the wikipedia article talks about *use* of SHA-1 in computing signatures. A signature is a cryptographic hash checksum that is encrypted with a private key. The checksum by itself is not a signature. > > I have a reminder from Dec on my to-list to stop sha-1 checksums and will > lead the effort with SA Sysadmins to implement it. > > Anything I missed, Sidney? +1 on that from me -- You are receiving this mail because: You are the assignee for the bug.
