On Thu, 2020-01-30 at 15:05 -0800, John Hardin wrote: > On Thu, 30 Jan 2020, Matus UHLAR - fantomas wrote: > > > > > On 29.01.20 15:21, Kevin A. McGrail wrote: > > > > > Correct, it's a policy issue. ASF Projects must stop > > > > > providing SHA-1 > > > > > signatures and we negotiated that deadline. > > > On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas > > > wrote: > > > > do you mean, not having updates is better than using sha-1? > > > > On 30.01.20 11:55, Henrik K wrote: > > > People using legacy SA versions are at risk from multiple > > > vulnerabilities. > > > Doesn't hurt making them upgrade to samething sane. > > > > so should I understand that as a force move "upgrade or don't get > > upates"? > > > > are you aware that some distro maintainers prefer to backport > > security fixes > > to former versions to prevent from functional surprises?
That's what Ubuntu did. I filed a bug report to upgrade to 3.4.3 and listed the CVE's involved. Instead of rolling out 3.4.3 they backported the fixes to 3.4.2. I'm getting ready to file another bug report requesting upgrade to 3.4.4 listing the CVE's affected and see what happens. > > Then they would presumably backport the SHA-256 checksum handling, > as > it is a security issue... > > -- Chris 31.11972; -97.90167 (Elev. 1092 ft) 17:12:12 up 2 days, 8:39, 1 user, load average: 1.41, 0.72, 0.54 Description: Ubuntu 18.04.3 LTS, kernel 5.3.0-28-generic