On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas wrote: > On 29.01.20 15:21, Kevin A. McGrail wrote: > >Correct, it's a policy issue. ASF Projects must stop providing SHA-1 > >signatures and we negotiated that deadline. > > do you mean, not having updates is better than using sha-1?
People using legacy SA versions are at risk from multiple vulnerabilities. Doesn't hurt making them upgrade to samething sane. > wouldn't clients supporting sha256 still use those over sha-1 or do you > expect MITM attackers to hide sha256 hashes so fake sha-1 can be forged? As a general comment for everyone: For security it makes absolutely no difference what hash checksum is used for rule updates. It is simply for transport integrity checking. For all purposes intended, the .gz internal compression checksum already would be enough for this. For checking _authenticity_, GPG signatures are the only valid method to verify who actually created the rules. Sa-update should not be used without GPG verification.
