On Sat, Aug 03, 2019 at 03:06:39PM +0100, Chris Boot wrote: > - Which checksums should we include? Our Apt repos use MD5 and SHA-256, > and our ISOs use MD5, SHA-1, SHA-256 and SHA-512. I'd be inclined to > suggest SHA-256 and SHA-512 only, personally.
Only one of them. And I would go directly to SHA3 for new stuff. > 1. Add labels of the form "checksum.cloud.debian.org/${ALGO}" under > metadata.labels, for example "checksum.cloud.debian.org/sha256". Labels are to search for stuff, not describe the content. > 3. Add a new mapping within the "data" mapping called "checksums" with > keys for each algorithm, e.g. "data.checksums.sha256". The usual way would be something like this: | data: | verify: | - name: sha3_256 | content: ABC= | - name: gpg | content: AAA= > In each case I expect the values to be hex strings, effectively the same > as the first column of the output from sha1sum, sha256sum, sha512sum, > etc... from coreutils. No, don't. Use base64 like everyone else. Bastian -- A father doesn't destroy his children. -- Lt. Carolyn Palamas, "Who Mourns for Adonais?", stardate 3468.1.