librsync previously used a truncated MD4 "strong" check sum to match
blocks. However, MD4 is not cryptographically strong. It’s possible that
an attacker who can control the contents of one part of a file could use
it to control other regions of the file, if it’s transferred using
librsync/rdiff. For example this might occur in a database, mailbox, or
VM image containing some attacker-controlled data.
To mitigate this issue, signatures will by default be computed with a
256-bit BLAKE2 hash. Old versions of librsync will complain about a bad
magic number when given these signature files.