ANN: snapcraft 2.28 has been released
Kyle Fazzari
kyle.fazzari at canonical.com
Fri Mar 31 14:58:16 UTC 2017
On 03/31/2017 03:37 AM, Colin Watson wrote:
> On Fri, Mar 31, 2017 at 11:22:50AM +0100, Mark Shuttleworth wrote:
>> On 30/03/17 20:54, Sergio Schvezov wrote:
>>> ### sources
>>>
>>> Sources, thanks to an external contributor, can now make use of a new entry, `source-checksum` which can be added to sources that can be hashed, the format is the following: `source-checksum: <algorithm>/<digest>`. These are the supported algorithms:
>>>
>>> - `md5`
>>> - `sha1`
>>> - `sha224`
>>> - `sha256`
>>
>> Please cull those from the acceptable digests, they are the Fake News of
>> cryptographic reassurance ;)
>
> Seriously? MD5 and SHA-1 of course yes, but there's no particular
> evidence that SHA256 is problematic, and as yet it's far more popular as
> an advertised tarball hash than anything based on SHA-3 or BLAKE2. (I
> don't know about SHA224, but it's at least also in the SHA-2 family.)
Indeed, looking at what upstream provides for a few projects I use in my
snaps:
- Nextcloud: MD5 and SHA256
(https://nextcloud.com/install/#instructions-server)
- Apache: PGP sig or MD5 (https://www.apache.org/dyn/closer.cgi#verify)
- PHP: MD5 or SHA256 (https://secure.php.net/downloads.php)
- Redis: SHA1 and SHA256
(https://github.com/antirez/redis-hashes/blob/master/README)
- Ubuntu itself: SHA256 (it seems that it also supports MD5 and SHA1
(https://www.ubuntu.com/download/how-to-verify)
I think supporting commonly-used ones here is important, or this becomes
difficult to use.
--
Kyle Fazzari (kyrofa)
Software Engineer
Canonical Ltd.
kyle at canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170331/83ad15f3/attachment.sig>
More information about the Snapcraft
mailing list