Re: tag2upload (git-debpush) service architecture - draft
On 7/27/19 8:16 PM, Rebecca N. Palmer wrote:
> As a way to avoid relying on SHA-1, would it work to have git-debpush
> include a longer hash in the tag message, and tag2upload also verify
> that hash?
what exactly would you create that long hash of?
If we don't trust sha-1, then we might also not be able to trust the
linked list of commits a git tag is pointing to.
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Reply to: