Re: system-wide crypto policies
* Daniel Pocock:
> However, are such issues at the discretion of package maintainers and
> upstream, or is it useful to have a uniform Debian approach to
> cryptographic strength?
Keep in mind that RFC 4880 (OpenPGP) hard-codes SHA-1 in several
places, notably for key fingerprints. If there's a uniform strength
requirement, we need some weasel words that GnuPG remains compliant.
It's also unclear if SHA-256 or SHA-512 is stronger, and if either
really is that much better than SHA-1.