On Mon, Jan 19, 2026 at 04:17:49PM +0100, Simon Josefsson wrote: > How about using SHA3-256 and base64 encoded hash values?
As a methodological answer, this is the kind of conversation that best belongs to the SWHID WG, rather than here. That said, your arguments against SHA2 (256) is well taken. One argument in *favor* of SHA2-256 is Git compatibility --- which in the supply chain context is a real plus, as it will ease cross-reference information from different sources, even when one lacks the referenced material (to compute other hashes). Some of the arguments that made Git decide the way they did also apply to SWHIDv2. Regarding encoding: yes, base64 is a possibility that we are considering. Cheers -- Stefano Zacchiroli - https://upsilon.cc/zack Full professor of Computer Science, Polytechnic Institute of Paris Co-founder & CSO Software Heritage
