Andreas Stieger:
> Hello,
>
> while packaging postfix 2.11.1 I noticed that the corresponding pgp/gpg
> signature is generated using the md5 digest algorithm. MD5 is now
> disabled as an acceptable digest method for signatures for source
> tarballs of openSUSE packages. Would it be possible to re-issue the
> signature using a SHA-1 or any of the SHA-2 family?
Thanks for checking the signature. MD5 is good enough for Postfix
tarballs, since there are no known second pre-image attacks. It has
the significant benefit that it is supported by every existing PGP
implementation.
What does this have to do with openSUSE source-code tarballs?
Wietse
