On 29.01.20 15:21, Kevin A. McGrail wrote:
>Correct, it's a policy issue. ASF Projects must stop providing SHA-1
>signatures and we negotiated that deadline.
On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas wrote:
do you mean, not having updates is better than using sha-1?
On 30.01.20 11:55, Henrik K wrote:
People using legacy SA versions are at risk from multiple vulnerabilities.
Doesn't hurt making them upgrade to samething sane.
so should I understand that as a force move "upgrade or don't get upates"?
are you aware that some distro maintainers prefer to backport security fixes
to former versions to prevent from functional surprises?
I am aware that fighting spam and viruses is a bit different than much of
other software...
wouldn't clients supporting sha256 still use those over sha-1 or do you
expect MITM attackers to hide sha256 hashes so fake sha-1 can be forged?
As a general comment for everyone:
For security it makes absolutely no difference what hash checksum is used
for rule updates. It is simply for transport integrity checking. For all
purposes intended, the .gz internal compression checksum already would be
enough for this.
For checking _authenticity_, GPG signatures are the only valid method to
verify who actually created the rules. Sa-update should not be used without
GPG verification.
I use debian, and it uses GPG signatures. so I understand that sha-1 issue
even less...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
