On 7/27/19 8:16 PM, Rebecca N. Palmer wrote: > As a way to avoid relying on SHA-1, would it work to have git-debpush > include a longer hash in the tag message, and tag2upload also verify > that hash?
what exactly would you create that long hash of? If we don't trust sha-1, then we might also not be able to trust the linked list of commits a git tag is pointing to. -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F