Julian Foad wrote on Mon, 13 Aug 2018 15:28 +0100: > Daniel Shahaf wrote: > > Thank you! Documented in the 1.11 release notes in r1837957. > > Thanks. Maybe change the rationale: > > - We consider the SHA-1 cryptographic hash function too weak for our needs. > + This change follows the <a href="...">ASF release policy</a>. > > ?
The reason ASF's policy recommends against sha1 is because it is "too weak", as the page currently states. I don't know if the distinction between "the Subversion developers assessed SHA-1 as too weak" and "ASF Infra assessed SHA-1 as too weak" is important enough to be drawn in the release notes. The technical argument and end result are the same regardless of who made the decision. HACKING could certainly mention this detail, though. Cheers, Daniel
