Michał Górny schrieb:
I think the first reasonable change would be to deprecate SHA256. It is pretty much the same algorithm as SHA512, except for different parameters. It is weaker than SHA512, and SHA512 is supported on all existing platforms anyway.
I think there is nothing wrong or insecure with continuing to use SHA256, even though it is technically weaker than SHA512. If it is already included in all Manifests then keeping it as standard is preferable I think.
Some people consider having a second dissimilar algorithm at hand a good idea. I suggest SHA3 in that case.
manifest-hashes = SHA256 SHA3-256 Best regards, Chí-Thanh Christopher Nguyễn