1 |
Hi Ulrich, |
2 |
|
3 |
On Tue, Apr 5, 2022 at 4:10 PM Ulrich Mueller <ulm@g.o> wrote: |
4 |
> The OpenPGP signature is for the top-level Manifest only. In case there |
5 |
> was any trouble, it would be trivial to change the hash algorithm used |
6 |
> for this. |
7 |
> |
8 |
> In constrast to that, updating the hashes in all Manifest files is a |
9 |
> huge pain in the neck. Basically, you must download all distfiles, which |
10 |
> is not trivial. For example, think of fetch-restricted files. (I've |
11 |
> helped twice with updating Manifest files, so I believe I know what I'm |
12 |
> talking about. :) |
13 |
|
14 |
The thing is, if SHA-512 is broken, that will really be the least of |
15 |
our concerns. TLS itself will be broken.... |
16 |
|
17 |
Jason |