On Tue, Mar 22, 2016 at 9:02 AM, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > The original draft does raise an interesting question — do we need to > put the upstream PGP key directly into the package git tree instead of > the lookaside cache? > > I suppose while the lookaside cache is still only using MD5(!) to > validate what it downloads, the answer to that is an unequivocal 'yes'. As an aside, I think Till has code written to make the lookaside use sha256. I'm not sure what the next steps are to get that rolled out though. josh -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
