Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > On Fri 2019-03-22 09:32:55 +0100, Lucas Nussbaum wrote: >> I'm probably missing something, but it doesn't sound like a lot of work >> to me? It's "just" a service that: >> - gets notified of the existence of a git repo + tag to upload >> - fetches that git repo + tag >> - checks signature / confirm that the GPG key owner is allowed to upload >> that package > > In case anyone is considering trying to do this, please be aware that > there are several non-obvious subtleties involved in "verifying a git > tag".
Doesn't Git also only use hash algorithms that are no longer recommended for cryptographic applications? Or have they finished moving to stronger algorithms? I don't think we should downgrade to SHA-1 for new services. Ansgar