On Mon, May 01, 2017 at 11:57:54PM +0200, Johan Corveleyn wrote:
> On Mon, May 1, 2017 at 10:54 PM, Julian Foad <julianfoad_at_apache.org> wrote:
> > Just asking...
> > As I understand it, we paused the issuing of 1.10 alpha releases because we
> > considered that the final 1.10 release will need to address the SHA1
> > collision issue otherwise it won't be considered a viable release.
> > It seemed reasonable to pause for a bit while the SHA1 issue was worked on,
> > and Stefan2 has done some work on that. But currently it seems that there is
> > nobody doing any further work on it.
> > We could continue waiting, or maybe now we should resume the alpha testing
> > of the new features (conflict resolution), and let the SHA1 work be fixed as
> > and when someone is motivated to do so (before or after 1.10). It seems to
> > me that sometimes in open source we need to get on with doing what we can
> > do, and just trust that someone else will do the rest.
> > Thoughts?
> I think this "pause-for-sha1-fixes" has now taken more than long
> enough. We should try gathering our focus again on releasing 1.10, and
> get the improvements it brings in the hands of users.
I was one of the people pushing for more SHA1 fixes but I did not find
time to do any of that work myself. I will not object if we decide that
these changes will have to happen later on. We do not seem to have enough
resources to push more SHA1 fixes through right now. So let's do whatever
else we can get done instead.
Received on 2017-05-02 10:33:13 CEST