ANN: snapcraft 2.28 has been released

Mark Shuttleworth mark at ubuntu.com
Fri Mar 31 18:26:27 UTC 2017


On 31/03/17 11:37, Colin Watson wrote:
> Current NIST policy recommends SHA256 as a minimum,

Since we're starting something new, I would prefer us to be well off the
minimum.

>  and says "Currently
> there is no need to transition applications from SHA-2 to SHA-3", dated
> 2015-08-05 (http://csrc.nist.gov/groups/ST/hash/policy.html).  Of course
> it's always important to retain hash algorithm agility and usually wise
> to prefer more recent standards in new applications, but it's IMO far
> too early to regard SHA256 as unacceptable.

If these are easy for the snapcrafter to create, then I suggest we just
use SHA2-384 or greater. If for some reason we are limited to things
that upstreams already publish then we could include the lower SHA2's.
But since the whole point is for snapcraft to fetch the blob, it seems
trivial for the snapcrafter to use a longer one. It's highly likely they
are cutting and pasting a long string, not typing it in from memory :)

Mark






More information about the Snapcraft mailing list