https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7618
Sidney Markowitz <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #2 from Sidney Markowitz <[email protected]> --- With the latest changes to sa-update in 3.4.2 so that it will ignore SHA-1 hashes and require at least one of SHA-256 or SHA-512, I'm +1 with this. Even if we continue to include SHA-1 hashes with the rule updates, the newer versions of sa-update 3.4.2 and later will not be able to be tricked into relying on them. I do note that the documentation in sa-update makes it explicit that the security comes from the GPG signature. The hashes are only to protect against data corruption in transit. The Apache policy to drop SHA-1 is for security reasons. As RW pointed out, dropping SHA-1 here doesn't affect security. We are dropping use of SHA-1 for the rule updates because it is Apache policy to stop using SHA-1. If it isn't used anywhere then there is no need to evaluate where it is safe to use. Because it is not a security issue here, we can ask for a variance to last only until end of life of Apache SpamAssassin 3.3.2. We should choose an end of life date for 3.3.2 compatible rule updates. There is still the typo referring to a SpamAssassin version 3.3.3 instead of 3.3.2. -- You are receiving this mail because: You are the assignee for the bug.
