On Fri, Jun 25, 2021 at 10:51:11AM +0200, Florian Weimer wrote: > * Zbigniew Jędrzejewski-Szmek: > > > I think we should try to push upstream to sign git tags, instead or in > > addition to tarballs. For upstreams, this is actually much easier > > (just 'git tag' → 'git tag -s' and you're done) compared to e.g. signing > > a tarball on github which requires some interaction with the web service. > > Would anyone recognize these signatures today, given that they are > essentially SHA-1 based? git has a reasonably recent sha1 implementation… It's time to move on, but afaik it isn't currently compromised. The switch to sha256 is ongoing. It seems … stalled (?), but it'll happen sooner or later. So I think we can tell people to sign commits, and then at some point in the future this will magically work with sha256. > Fedora has already disabled SHA-1 signatures by default elsewhere, so > such an encouragement would just result in wasted work. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
