Re: no-strong-digests-in-dsc MBF
Stuart Prescott writes ("Re: no-strong-digests-in-dsc MBF"):
> Given the hashes aren't used within Debian and can't be used reliably by
> external parties either, it doesn't feel like a good use of anyone's time.
dgit uses the hashes in the .dsc, both during `dgit fetch' and during
`dgit import-dsc'. Sponsorship workflows sometimes involve exchanging
or signing only .dscs.
But: I agree that this is not a release-critical bug. For old .dsc's
(I assume we're not generating new ones) the security requirement is
second preimage resistance for old documents. I think for .dscs this
will be OK for a while yet.
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Reply to: