Re: No longer supply SHA1 checksums for new releases

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Mon, 13 Aug 2018 14:48:25 +0000

Julian Foad wrote on Mon, 13 Aug 2018 15:28 +0100:
> Daniel Shahaf wrote:
> > Thank you! Documented in the 1.11 release notes in r1837957.
>
> Thanks. Maybe change the rationale:
>
> - We consider the SHA-1 cryptographic hash function too weak for our needs.
> + This change follows the ASF release policy.
>
> ?

The reason ASF's policy recommends against sha1 is because it is "too
weak", as the page currently states.

I don't know if the distinction between "the Subversion developers
assessed SHA-1 as too weak" and "ASF Infra assessed SHA-1 as too weak"
is important enough to be drawn in the release notes. The technical argument
and end result are the same regardless of who made the decision.

HACKING could certainly mention this detail, though.

Cheers,

Daniel
Received on 2018-08-13 16:48:35 CEST

This message: [ Message body ]
Next message: Julian Foad: "Re: No longer supply SHA1 checksums for new releases"
Previous message: Julian Foad: "Re: No longer supply SHA1 checksums for new releases"
In reply to: Julian Foad: "Re: No longer supply SHA1 checksums for new releases"
Next in thread: Julian Foad: "Re: No longer supply SHA1 checksums for new releases"
Reply: Julian Foad: "Re: No longer supply SHA1 checksums for new releases"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]