Hi Richi, hi All,
on 2017-02-25, Joey found two corner cases in git-annex where the
newly demonstrated SHA-1 collision weakness (as used in git) could
also impact git-annex, *even when used with signed commits*.
https://git-annex.branchable.com/devblog/day_450__hardening_against_SHA_attacks/
Of course he promptly fixed it. I am keenly aware that it's quite late
in the game, but could you manage to roll a deb of 6.20170301 or newer
for the stretch release ?
Strech is going to be around for a while and the SHA-1 attacks will only
increase in potency during its lifetime. I'll help convince the release
team. ;-)
Cheers,
Philipp