Bernd Zeimetz writes: > On 7/27/19 8:16 PM, Rebecca N. Palmer wrote:> As a way to avoid relying > on SHA-1, would it work to have git-debpush >> include a longer hash in the tag message, and tag2upload also verify >> that hash? >> > The other idea would be to convince git upstream to use something > better than sha1 - and after a bit of searching, I found [...] > So I think the best thing to do is to get sha256 working in git and > force the usage of sha256 if you want to sign a tag for upload.
That will take quite a while; we would probably need a version of git supporting that in stable. There are also other issues, for example: - Such a service would bypass various sanity checks on the archive side, including various permission checks. - Such a service would need to properly validate the PGP signature. The archive really shouldn't rely on a third-party service for this. (In particular the service in question here doesn't do that as far as I can tell.) Ansgar
