Clarify removal schedule for SHA1.

1 files changed, 8 insertions, 5 deletions

diff --git a/users/robbat2/tree-signing-gleps/04-manifest2-hashes b/users/robbat2/tree-signing-gleps/04-manifest2-hashes
index a6dab4ecb7..cd3b9f0d9d 100644
--- a/users/robbat2/tree-signing-gleps/04-manifest2-hashes
+++ b/users/robbat2/tree-signing-gleps/04-manifest2-hashes
@@ -1,7 +1,7 @@
 GLEP: xx+4
 Title: Manifest2 hash policies and security implications
-Version: $Revision: 1.8 $
-Last-Modified: $Date: 2008/07/01 07:14:35 $
+Version: $Revision: 1.9 $
+Last-Modified: $Date: 2008/07/01 07:17:10 $
 Author: Robin Hugh Johnson <robbat2@gentoo.org>, 
 Status: Draft
 Type: Standards Track
@@ -97,8 +97,8 @@ defeated.
 An unsupported hash is not considered to be a failure unless no
 supported hashes are available.
 
-For the current Portage, SHA1 should be removed, as presents no
-advantages over SHA256. Beyond one specific problem (see the next
+For the current Portage, SHA1 should be gradually removed, as presents
+no advantages over SHA256. Beyond one specific problem (see the next
 paragraph), we should add SHA512 (SHA2, 512 bit size), the Whirlpool
 checksum (standardized checksum, with no known weaknesses). In future,
 as stream-based checksums are developed (in response to the development
@@ -106,7 +106,10 @@ by NIST [AHS]), they should be considered and used.
 
 There is one temporary stumbling block at hand - the existing Portage
 infrastructure does not support SHA384/512 or Whirlpool, thus hampering
-their immediate acceptance. SHA512 is available in Python 2.5
+their immediate acceptance. SHA512 is available in Python 2.5, while
+SHA1 is already available in Python 2.4. After Python2.5 is established
+in a Gentoo media release, that would be a suitable time to remove SHA1
+from Manifest2 files.
 
 Backwards Compatibility
 =======================