>> There you go for something crippled!  https://shattered.io/
>
>
> I don't think that this is actually relevant. This attack would only work if
> an attacker is able to provide a specially manufactured source tarball and
> get it accepted by SageMath. At that point, the attacker could instead just
> insert arbitrary code in the source tarball.

So according to your point checking the SHA1 is useless, because
attackers are not able to get malicious source tarballs accepted by
SageMath.

Anyway, we're digressing. The move to SHA256 needs to be addressed in
another topic, and it is so elementary that we may as well open a
ticket and continue the discussion there.

Luca

-- 
You received this message because you are subscribed to the Google Groups 
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-devel+unsubscr...@googlegroups.com.
To post to this group, send email to sage-devel@googlegroups.com.
Visit this group at https://groups.google.com/group/sage-devel.
For more options, visit https://groups.google.com/d/optout.

Reply via email to