On Thu, 30 Jan 2020 11:00:32 +0100 Matus UHLAR - fantomas wrote: > >> On 29.01.20 15:21, Kevin A. McGrail wrote:
> I use debian, and it uses GPG signatures. so I understand that sha-1 > issue even less... It was a matter of Apache policy as I understand it. There were no security implications at all. Even if it had been relied on for security, SHA1 would only be potentially vulnerable to an attack by an insider with a supercomputer. Anyone in a position to exploit it could simply generate a new hash file, so switching to SHA256 would still make no difference.