From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: SHA-1 vs SHA256 + public key Date: Tue, 23 May 2017 22:53:28 +0200 Message-ID: <878tln8fcn.fsf@gnu.org> References: <87fufwtbag.fsf@netris.org> <87bmqkt6xg.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:50100) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dDGoA-00070t-Tz for guix-devel@gnu.org; Tue, 23 May 2017 16:53:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dDGo7-0007eq-R8 for guix-devel@gnu.org; Tue, 23 May 2017 16:53:35 -0400 In-Reply-To: <87bmqkt6xg.fsf@netris.org> (Mark H. Weaver's message of "Tue, 23 May 2017 02:37:31 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org, Mark Rijckenberg Mark H Weaver skribis: > I wrote: >> The hashes included in the announcement are not able to provide secure >> authentication, regardless of what hash function is used, because the >> announcement itself might have been modified > > I forgot that the announcement itself was signed, which invalidates much > of what I wrote earlier. Sorry for the noise. > > I agree that we should include stronger hashes in the announcement. Agreed, we should do that. (Providing hashes in the message, which is archived, provides a way for people to make sure we will not modify the uploaded file in place in the future.) Ludo=E2=80=99.