There have been various discussions about GnuPG's default use of SHA1, e.g. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612657 which impacts the archive pseudo-package but is also relevant for the gnupg* packages However, are such issues at the discretion of package maintainers and upstream, or is it useful to have a uniform Debian approach to cryptographic strength?