ANN: snapcraft 2.28 has been released

Colin Watson cjwatson at
Fri Mar 31 10:37:44 UTC 2017

On Fri, Mar 31, 2017 at 11:22:50AM +0100, Mark Shuttleworth wrote:
> On 30/03/17 20:54, Sergio Schvezov wrote:
> > ### sources
> >
> > Sources, thanks to an external contributor, can now make use of a new entry, `source-checksum` which can be added to sources that can be hashed, the format is the following: `source-checksum: <algorithm>/<digest>`. These are the supported algorithms:
> >
> > - `md5`
> > - `sha1`
> > - `sha224`
> > - `sha256`
> Please cull those from the acceptable digests, they are the Fake News of
> cryptographic reassurance ;)

Seriously?  MD5 and SHA-1 of course yes, but there's no particular
evidence that SHA256 is problematic, and as yet it's far more popular as
an advertised tarball hash than anything based on SHA-3 or BLAKE2.  (I
don't know about SHA224, but it's at least also in the SHA-2 family.)

Current NIST policy recommends SHA256 as a minimum, and says "Currently
there is no need to transition applications from SHA-2 to SHA-3", dated
2015-08-05 (  Of course
it's always important to retain hash algorithm agility and usually wise
to prefer more recent standards in new applications, but it's IMO far
too early to regard SHA256 as unacceptable.

Colin Watson                                       [cjwatson at]

More information about the Snapcraft mailing list