https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614
--- Comment #2 from Sidney Markowitz <[email protected]> --- This is late to bring this up, but I think I have a problem with this regarding what we did for bug #7596 It is one thing to keep publishing SHA-1 hash for rules to maintain backward compatibility with SpamAssassin 3.3.2 while we set an end of life for it. It is another to have SHA-1 checking in sa-update 3.4.2. If someone runs sa-update with the --no-gpg option, even if we publish rules with SHA-256 and SHA-512 hashes, an attacker who somehow introduces a fake rule update that matches our SHA-1 could block reception of the SHA-256 and SHA-512 hashes, and sa-update running with --no-gpg would accept the fake rules. I think sa-update in 3.4.2 should not check the SHA-1 hash at all. We would still publish SHA-1 to allow 3.3.2 to accept the rules, only stopping that after reaching an announced end of life for SpamAssassin 3.3.2. Is there any reason to keep support for checking SHA-1 in 3.4.2? Will there be any rule updates released in the future that do not include the SHA-256 and SHA-512 hashes? -- You are receiving this mail because: You are the assignee for the bug.
