https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7614
--- Comment #6 from Bill Cole <[email protected]> --- (In reply to Sidney Markowitz from comment #5) > (In reply to Bill Cole from comment #3) > > It just occurred to me regarding the rationale you listed: If it is not > plausible that a hypothetical attack will provide simultaneous collisions > against two hash functions, then there still is no reason to check SHA-1, > since there will be both SHA256 and SHA512 hashes supplied with the updates. > > The argument against checking SHA-1 is that any unneeded code provides more > places that a bug or an unexpected vulnerability could hide. Complexity is > always the enemy of security. An excellent point. Simplicity is better. Quicker to code too. -- You are receiving this mail because: You are the assignee for the bug.
