On 03/31/2017 03:37 AM, Colin Watson wrote: > On Fri, Mar 31, 2017 at 11:22:50AM +0100, Mark Shuttleworth wrote: >> On 30/03/17 20:54, Sergio Schvezov wrote: >>> ### sources >>> >>> Sources, thanks to an external contributor, can now make use of a new >>> entry, `source-checksum` which can be added to sources that can be hashed, >>> the format is the following: `source-checksum: <algorithm>/<digest>`. These >>> are the supported algorithms: >>> >>> - `md5` >>> - `sha1` >>> - `sha224` >>> - `sha256` >> >> Please cull those from the acceptable digests, they are the Fake News of >> cryptographic reassurance ;) > > Seriously? MD5 and SHA-1 of course yes, but there's no particular > evidence that SHA256 is problematic, and as yet it's far more popular as > an advertised tarball hash than anything based on SHA-3 or BLAKE2. (I > don't know about SHA224, but it's at least also in the SHA-2 family.)
Indeed, looking at what upstream provides for a few projects I use in my snaps: - Nextcloud: MD5 and SHA256 (https://nextcloud.com/install/#instructions-server) - Apache: PGP sig or MD5 (https://www.apache.org/dyn/closer.cgi#verify) - PHP: MD5 or SHA256 (https://secure.php.net/downloads.php) - Redis: SHA1 and SHA256 (https://github.com/antirez/redis-hashes/blob/master/README) - Ubuntu itself: SHA256 (it seems that it also supports MD5 and SHA1 (https://www.ubuntu.com/download/how-to-verify) I think supporting commonly-used ones here is important, or this becomes difficult to use. -- Kyle Fazzari (kyrofa) Software Engineer Canonical Ltd. [email protected]
signature.asc
Description: OpenPGP digital signature
-- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
