> > But is the hashing algorithm a stable interface? If I'm some random > > package maintainer, can I always depend on using the SHA-1 hash? > > I think you should be able to. Some concerns have been raised about the > security of SHA-1, so we'll probably be moving to SHA-256 (see bug 8) at > some point, but the server code should probably keep understanding SHA-1 > hashes for quite some time. Clients can eventually become smarter, and > once we stop seeing SHA-1 requests, we can drop support for them. But I > expect that'll be quite some time.
I'm not sure I completely agree. Once we move to SHA-256, we ought to stop publishing new package content with old hash algorithms. I would expect that we would continue to support previously created content under a legacy hash-algorithm; however, the idea would be to phase out the old, presumably broken, algorithm as soon as possible. -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
