On Tue, Mar 22, 2016 at 9:02 AM, David Woodhouse <dw...@infradead.org> wrote: > The original draft does raise an interesting question — do we need to > put the upstream PGP key directly into the package git tree instead of > the lookaside cache? > > I suppose while the lookaside cache is still only using MD5(!) to > validate what it downloads, the answer to that is an unequivocal 'yes'.
As an aside, I think Till has code written to make the lookaside use sha256. I'm not sure what the next steps are to get that rolled out though. josh -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
