https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7621
RW <rwmailli...@googlemail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rwmailli...@googlemail.com
--- Comment #2 from RW <rwmailli...@googlemail.com> ---
To be fair to the OP, it wouldn't weaken verification at all. A .sha256 file is
as easy to forge and replace as a .tar.gz file, so one can't vouch for the
other. The hash file is needed because if you use --nogpg then failing the hash
check prevents sa-update trying to install a corrupt .tar.gz file (typically a
truncated file from a failed download).
I'm not advocating change though, as it should be easy for actively maintained
channels to add an extra hash file, and keeping the unnecessary hash check
makes sa-update a bit easier to debug.
--
You are receiving this mail because:
You are the assignee for the bug.
