On 1/30/2020 9:54 AM, RW wrote: > On Thu, 30 Jan 2020 11:00:32 +0100 > Matus UHLAR - fantomas wrote: > >>>> On 29.01.20 15:21, Kevin A. McGrail wrote: >> I use debian, and it uses GPG signatures. so I understand that sha-1 >> issue even less... > It was a matter of Apache policy as I understand it. There were no > security implications at all. > > Even if it had been relied on for security, SHA1 would only be > potentially vulnerable to an attack by an insider with a supercomputer. > Anyone in a position to exploit it could simply generate a new hash > file, so switching to SHA256 would still make no difference.
The policy is at https://www.apache.org/dev/release-distribution#sigs-and-sums I have not analyzed the risk or done a threat model on this issue but sha-1 is cryptographically weak and banned by ASF policy. There is a ticket concerning asking for a variance but I am at best, neutral on that idea. Key to the issue is I fail to see how the highly intrusive security work done for 3.4.3 can possibly be backported. My recommendation remains a strong: upgrade to 3.4.4. Regards, KAM -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171