ANN: snapcraft 2.28 has been released
Neal Gompa
ngompa13 at gmail.com
Fri Mar 31 20:52:58 UTC 2017
On Fri, Mar 31, 2017 at 2:26 PM, Mark Shuttleworth <mark at ubuntu.com> wrote:
> On 31/03/17 11:37, Colin Watson wrote:
>> Current NIST policy recommends SHA256 as a minimum,
>
> Since we're starting something new, I would prefer us to be well off the
> minimum.
>
>> and says "Currently
>> there is no need to transition applications from SHA-2 to SHA-3", dated
>> 2015-08-05 (http://csrc.nist.gov/groups/ST/hash/policy.html). Of course
>> it's always important to retain hash algorithm agility and usually wise
>> to prefer more recent standards in new applications, but it's IMO far
>> too early to regard SHA256 as unacceptable.
>
> If these are easy for the snapcrafter to create, then I suggest we just
> use SHA2-384 or greater. If for some reason we are limited to things
> that upstreams already publish then we could include the lower SHA2's.
> But since the whole point is for snapcraft to fetch the blob, it seems
> trivial for the snapcrafter to use a longer one. It's highly likely they
> are cutting and pasting a long string, not typing it in from memory :)
>
> Mark
>
I'd recommend no lower than SHA256. In Fedora, we've transitioned our
lookaside cache (which stores upstream tarballs) to SHA 512, but we
definitely don't want to use less than SHA256 for snaps.
Personally, I'd recommend:
* SHA2 256, 384, 512
* SHA3 256, 384, 512
* BLAKE2s, BLAKE2b
--
真実はいつも一つ!/ Always, there's only one truth!
More information about the Snapcraft
mailing list