[pkg-gnupg-maint] Bug#932753: tag2upload should record git tag signer info in .dsc [and 1 more messages]

Ian Jackson ijackson at chiark.greenend.org.uk
Sat Jul 27 22:40:00 BST 2019


Jonathan McDowell writes ("Bug#932753: tag2upload should record git tag signer info in .dsc [and 1 more messages]"):
> My understanding is this was true in the days of v3 keys/fingerprints
> but is not the case for v4. If we get to the point we find a collision
> then that's a SHA1 issue that's going to cause bigger issues.

It would be good to prepare for changing the fingerprint hash
function.  Would including these parameters do that ?  I think it
would, provided that "hash-algo" is in fact the algorithm used for the
fingerprint hash.

An alternative, perhaps, is to leave this out now, and intend to
introduce a `fingnerprintv5' value later.

Ian.

-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.



More information about the pkg-gnupg-maint mailing list