Re: ANN: snapcraft 2.28 has been released

2017-04-01 Thread Neal Gompa 
On Sat, Apr 1, 2017 at 5:22 PM, John Lenton  wrote:
> On 31 March 2017 at 21:52, Neal Gompa  wrote:
>> we
>> definitely don't want to use less than SHA256 for snaps.
>
> note snaps use sha3-384 currently; the above discussion is, as I
> understand it, about snapcraft checking upstream checksums at build
> time.
>

Sure, but it's just as important that the inputs can be trusted for a
given snap created by snapcraft, and allowing people to choose weak
algorithms is against that.



-- 
真実はいつも一つ!/ Always, there's only one truth!

-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Re: ANN: snapcraft 2.28 has been released

2017-03-31 Thread Kyle Fazzari 


On 03/31/2017 03:37 AM, Colin Watson wrote:
> On Fri, Mar 31, 2017 at 11:22:50AM +0100, Mark Shuttleworth wrote:
>> On 30/03/17 20:54, Sergio Schvezov wrote:
>>> ### sources
>>>
>>> Sources, thanks to an external contributor, can now make use of a new 
>>> entry, `source-checksum` which can be added to sources that can be hashed, 
>>> the format is the following: `source-checksum: /`. These 
>>> are the supported algorithms:
>>>
>>> - `md5`
>>> - `sha1`
>>> - `sha224`
>>> - `sha256`
>>
>> Please cull those from the acceptable digests, they are the Fake News of
>> cryptographic reassurance ;)
> 
> Seriously?  MD5 and SHA-1 of course yes, but there's no particular
> evidence that SHA256 is problematic, and as yet it's far more popular as
> an advertised tarball hash than anything based on SHA-3 or BLAKE2.  (I
> don't know about SHA224, but it's at least also in the SHA-2 family.)

Indeed, looking at what upstream provides for a few projects I use in my
snaps:

- Nextcloud: MD5 and SHA256
(https://nextcloud.com/install/#instructions-server)
- Apache: PGP sig or MD5 (https://www.apache.org/dyn/closer.cgi#verify)
- PHP: MD5 or SHA256 (https://secure.php.net/downloads.php)
- Redis: SHA1 and SHA256
(https://github.com/antirez/redis-hashes/blob/master/README)
- Ubuntu itself: SHA256 (it seems that it also supports MD5 and SHA1
(https://www.ubuntu.com/download/how-to-verify)

I think supporting commonly-used ones here is important, or this becomes
difficult to use.

-- 
Kyle Fazzari (kyrofa)
Software Engineer
Canonical Ltd.
k...@canonical.com



signature.asc
Description: OpenPGP digital signature
-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Re: ANN: snapcraft 2.28 has been released

2017-03-31 Thread Colin Watson 
On Fri, Mar 31, 2017 at 11:22:50AM +0100, Mark Shuttleworth wrote:
> On 30/03/17 20:54, Sergio Schvezov wrote:
> > ### sources
> >
> > Sources, thanks to an external contributor, can now make use of a new 
> > entry, `source-checksum` which can be added to sources that can be hashed, 
> > the format is the following: `source-checksum: /`. These 
> > are the supported algorithms:
> >
> > - `md5`
> > - `sha1`
> > - `sha224`
> > - `sha256`
> 
> Please cull those from the acceptable digests, they are the Fake News of
> cryptographic reassurance ;)

Seriously?  MD5 and SHA-1 of course yes, but there's no particular
evidence that SHA256 is problematic, and as yet it's far more popular as
an advertised tarball hash than anything based on SHA-3 or BLAKE2.  (I
don't know about SHA224, but it's at least also in the SHA-2 family.)

Current NIST policy recommends SHA256 as a minimum, and says "Currently
there is no need to transition applications from SHA-2 to SHA-3", dated
2015-08-05 (http://csrc.nist.gov/groups/ST/hash/policy.html).  Of course
it's always important to retain hash algorithm agility and usually wise
to prefer more recent standards in new applications, but it's IMO far
too early to regard SHA256 as unacceptable.

-- 
Colin Watson   [cjwat...@ubuntu.com]

-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Re: ANN: snapcraft 2.28 has been released

2017-03-31 Thread Mark Shuttleworth 

What a great release, thank you! Only one request:

On 30/03/17 20:54, Sergio Schvezov wrote:
> ### sources
>
> Sources, thanks to an external contributor, can now make use of a new entry, 
> `source-checksum` which can be added to sources that can be hashed, the 
> format is the following: `source-checksum: /`. These are 
> the supported algorithms:
>
> - `md5`
> - `sha1`
> - `sha224`
> - `sha256`

Please cull those from the acceptable digests, they are the Fake News of
cryptographic reassurance ;)

Mark

-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Re: ANN: snapcraft 2.28 has been released

2017-03-30 Thread Joseph Rushton Wakeling 

On 30/03/17 21:54, Sergio Schvezov wrote:

Prettier version of the release notes can be found on 
https://github.com/snapcore/snapcraft/releases/tag/2.28


Big thanks for this one!  More specifically ...


### classic confinement

With this release it should be now possible to use launchpad builders to build 
for other architectures than `amd64` as the detection logic for the dynamic 
linker in core has been fixed.


I can confirm that Launchpad was able to successfully complete both amd64 and 
i386 builds of the current development branch of my ldc2 snap.  Armhf and arm64 
builds are currently under way and are looking fine so far (if anything goes 
wrong I would anticipate it being an LDC issue).


Couldn't have come at a better time as far as I'm concerned.

Thanks again and best wishes,

-- Joe

--
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft