https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614
--- Comment #5 from Sidney Markowitz <[email protected]> --- (In reply to Bill Cole from comment #3) It just occurred to me regarding the rationale you listed: If it is not plausible that a hypothetical attack will provide simultaneous collisions against two hash functions, then there still is no reason to check SHA-1, since there will be both SHA256 and SHA512 hashes supplied with the updates. The argument against checking SHA-1 is that any unneeded code provides more places that a bug or an unexpected vulnerability could hide. Complexity is always the enemy of security. -- You are receiving this mail because: You are the assignee for the bug.
