andrewmusselman opened a new issue, #679: URL: https://github.com/apache/tooling-trusted-releases/issues/679
**ASVS References:** 11.3.2 (Recommendation 4), 11.4.1 (Suggestion 1) ### Description Multiple audits recommend creating an explicit cryptographic algorithm inventory document. The codebase uses a strong set of algorithms (BLAKE3, SHA3-256, SHA-256, SHA-512 for hashing; HS256/RS256 for JWT; `secrets` module for RNG), but there is no centralized documentation listing: - Approved hash algorithms and their intended use cases - Approved symmetric ciphers and modes - Approved asymmetric algorithms and minimum key sizes - Expected GPG/PGP configuration for signature verification environments - Minimum key strength requirements for `pgpy` operations A documented cryptographic policy would simplify future audits and help contributors make consistent algorithm choices. ### Severity Informational — Process improvement, not a code vulnerability. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
