Web lists-archives.com

Re: Discussion on eventual transition away from source packages




Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> writes:
> On Fri 2019-03-22 09:32:55 +0100, Lucas Nussbaum wrote:
>> I'm probably missing something, but it doesn't sound like a lot of work
>> to me? It's "just" a service that:
>> - gets notified of the existence of a git repo + tag to upload
>> - fetches that git repo + tag
>> - checks signature / confirm that the GPG key owner is allowed to upload
>>   that package
>
> In case anyone is considering trying to do this, please be aware that
> there are several non-obvious subtleties involved in "verifying a git
> tag".

Doesn't Git also only use hash algorithms that are no longer recommended
for cryptographic applications?  Or have they finished moving to
stronger algorithms?

I don't think we should downgrade to SHA-1 for new services.

Ansgar