Re: ANN: snapcraft 2.28 has been released
On Sat, Apr 1, 2017 at 5:22 PM, John Lentonwrote: > On 31 March 2017 at 21:52, Neal Gompa wrote: >> we >> definitely don't want to use less than SHA256 for snaps. > > note snaps use sha3-384 currently; the above discussion is, as I > understand it, about snapcraft checking upstream checksums at build > time. > Sure, but it's just as important that the inputs can be trusted for a given snap created by snapcraft, and allowing people to choose weak algorithms is against that. -- 真実はいつも一つ!/ Always, there's only one truth! -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: ANN: snapcraft 2.28 has been released
On 03/31/2017 03:37 AM, Colin Watson wrote: > On Fri, Mar 31, 2017 at 11:22:50AM +0100, Mark Shuttleworth wrote: >> On 30/03/17 20:54, Sergio Schvezov wrote: >>> ### sources >>> >>> Sources, thanks to an external contributor, can now make use of a new >>> entry, `source-checksum` which can be added to sources that can be hashed, >>> the format is the following: `source-checksum: /`. These >>> are the supported algorithms: >>> >>> - `md5` >>> - `sha1` >>> - `sha224` >>> - `sha256` >> >> Please cull those from the acceptable digests, they are the Fake News of >> cryptographic reassurance ;) > > Seriously? MD5 and SHA-1 of course yes, but there's no particular > evidence that SHA256 is problematic, and as yet it's far more popular as > an advertised tarball hash than anything based on SHA-3 or BLAKE2. (I > don't know about SHA224, but it's at least also in the SHA-2 family.) Indeed, looking at what upstream provides for a few projects I use in my snaps: - Nextcloud: MD5 and SHA256 (https://nextcloud.com/install/#instructions-server) - Apache: PGP sig or MD5 (https://www.apache.org/dyn/closer.cgi#verify) - PHP: MD5 or SHA256 (https://secure.php.net/downloads.php) - Redis: SHA1 and SHA256 (https://github.com/antirez/redis-hashes/blob/master/README) - Ubuntu itself: SHA256 (it seems that it also supports MD5 and SHA1 (https://www.ubuntu.com/download/how-to-verify) I think supporting commonly-used ones here is important, or this becomes difficult to use. -- Kyle Fazzari (kyrofa) Software Engineer Canonical Ltd. k...@canonical.com signature.asc Description: OpenPGP digital signature -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: ANN: snapcraft 2.28 has been released
On Fri, Mar 31, 2017 at 11:22:50AM +0100, Mark Shuttleworth wrote: > On 30/03/17 20:54, Sergio Schvezov wrote: > > ### sources > > > > Sources, thanks to an external contributor, can now make use of a new > > entry, `source-checksum` which can be added to sources that can be hashed, > > the format is the following: `source-checksum: /`. These > > are the supported algorithms: > > > > - `md5` > > - `sha1` > > - `sha224` > > - `sha256` > > Please cull those from the acceptable digests, they are the Fake News of > cryptographic reassurance ;) Seriously? MD5 and SHA-1 of course yes, but there's no particular evidence that SHA256 is problematic, and as yet it's far more popular as an advertised tarball hash than anything based on SHA-3 or BLAKE2. (I don't know about SHA224, but it's at least also in the SHA-2 family.) Current NIST policy recommends SHA256 as a minimum, and says "Currently there is no need to transition applications from SHA-2 to SHA-3", dated 2015-08-05 (http://csrc.nist.gov/groups/ST/hash/policy.html). Of course it's always important to retain hash algorithm agility and usually wise to prefer more recent standards in new applications, but it's IMO far too early to regard SHA256 as unacceptable. -- Colin Watson [cjwat...@ubuntu.com] -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: ANN: snapcraft 2.28 has been released
What a great release, thank you! Only one request: On 30/03/17 20:54, Sergio Schvezov wrote: > ### sources > > Sources, thanks to an external contributor, can now make use of a new entry, > `source-checksum` which can be added to sources that can be hashed, the > format is the following: `source-checksum: /`. These are > the supported algorithms: > > - `md5` > - `sha1` > - `sha224` > - `sha256` Please cull those from the acceptable digests, they are the Fake News of cryptographic reassurance ;) Mark -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
Re: ANN: snapcraft 2.28 has been released
On 30/03/17 21:54, Sergio Schvezov wrote: Prettier version of the release notes can be found on https://github.com/snapcore/snapcraft/releases/tag/2.28 Big thanks for this one! More specifically ... ### classic confinement With this release it should be now possible to use launchpad builders to build for other architectures than `amd64` as the detection logic for the dynamic linker in core has been fixed. I can confirm that Launchpad was able to successfully complete both amd64 and i386 builds of the current development branch of my ldc2 snap. Armhf and arm64 builds are currently under way and are looking fine so far (if anything goes wrong I would anticipate it being an LDC issue). Couldn't have come at a better time as far as I'm concerned. Thanks again and best wishes, -- Joe -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft