Russ Allbery <r...@debian.org> writes: > Ansgar 🙀 <ans...@43-1.org> writes: > >> In addition it reintroduces trust in weak cryptographic hashes which >> effort was spent to remove. > > I think this concern is significantly overblown and attempted to explain > precisely why I believe that in my security review. I'll also point out > that using SHA-256 hashes in *.dsc files does not somehow mean that Debian > is no longer trusting SHA-1 hashes, given that most Debian development is > done in Git using SHA-1 hashes. > > I think we're all agreed that switching Git to SHA-256 hashes would be > great and, once that work is done, we should take advantage of it, > including in tag2upload.
I have not more than skimmed the architecture, so forgive me if this makes no sense: Could this fear (whether overblown or not) not be alleviated by including in the tag2upload structured metadata a SHA-256 hash of all the files in the given commit? PS: Fantastic work by all involved! Tag2upload seems *wonderful*! Best, Gard
signature.asc
Description: PGP signature
