[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: No longer supply SHA1 checksums for new releases

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Mon, 13 Aug 2018 14:48:25 +0000

Julian Foad wrote on Mon, 13 Aug 2018 15:28 +0100:
> Daniel Shahaf wrote:
> > Thank you! Documented in the 1.11 release notes in r1837957.
> Thanks. Maybe change the rationale:
> - We consider the SHA-1 cryptographic hash function too weak for our needs.
> + This change follows the ASF release policy.
> ?

The reason ASF's policy recommends against sha1 is because it is "too
weak", as the page currently states.

I don't know if the distinction between "the Subversion developers
assessed SHA-1 as too weak" and "ASF Infra assessed SHA-1 as too weak"
is important enough to be drawn in the release notes. The technical argument
and end result are the same regardless of who made the decision.

HACKING could certainly mention this detail, though.


Received on 2018-08-13 16:48:35 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.