On Tue, Mar 22, 2016 at 9:02 AM, David Woodhouse <dwmw2(a)infradead.org> wrote:
The original draft does raise an interesting question — do we need
to
put the upstream PGP key directly into the package git tree instead of
the lookaside cache?
I suppose while the lookaside cache is still only using MD5(!) to
validate what it downloads, the answer to that is an unequivocal 'yes'.
As an aside, I think Till has code written to make the lookaside use
sha256. I'm not sure what the next steps are to get that rolled out
though.
josh