On 31/03/17 11:37, Colin Watson wrote: > Current NIST policy recommends SHA256 as a minimum,
Since we're starting something new, I would prefer us to be well off the minimum. > and says "Currently > there is no need to transition applications from SHA-2 to SHA-3", dated > 2015-08-05 (http://csrc.nist.gov/groups/ST/hash/policy.html). Of course > it's always important to retain hash algorithm agility and usually wise > to prefer more recent standards in new applications, but it's IMO far > too early to regard SHA256 as unacceptable. If these are easy for the snapcrafter to create, then I suggest we just use SHA2-384 or greater. If for some reason we are limited to things that upstreams already publish then we could include the lower SHA2's. But since the whole point is for snapcraft to fetch the blob, it seems trivial for the snapcrafter to use a longer one. It's highly likely they are cutting and pasting a long string, not typing it in from memory :) Mark -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft