ANN: snapcraft 2.28 has been released

Kyle Fazzari kyle.fazzari at
Fri Mar 31 14:58:16 UTC 2017

On 03/31/2017 03:37 AM, Colin Watson wrote:
> On Fri, Mar 31, 2017 at 11:22:50AM +0100, Mark Shuttleworth wrote:
>> On 30/03/17 20:54, Sergio Schvezov wrote:
>>> ### sources
>>> Sources, thanks to an external contributor, can now make use of a new entry, `source-checksum` which can be added to sources that can be hashed, the format is the following: `source-checksum: <algorithm>/<digest>`. These are the supported algorithms:
>>> - `md5`
>>> - `sha1`
>>> - `sha224`
>>> - `sha256`
>> Please cull those from the acceptable digests, they are the Fake News of
>> cryptographic reassurance ;)
> Seriously?  MD5 and SHA-1 of course yes, but there's no particular
> evidence that SHA256 is problematic, and as yet it's far more popular as
> an advertised tarball hash than anything based on SHA-3 or BLAKE2.  (I
> don't know about SHA224, but it's at least also in the SHA-2 family.)

Indeed, looking at what upstream provides for a few projects I use in my

- Nextcloud: MD5 and SHA256
- Apache: PGP sig or MD5 (
- PHP: MD5 or SHA256 (
- Redis: SHA1 and SHA256
- Ubuntu itself: SHA256 (it seems that it also supports MD5 and SHA1

I think supporting commonly-used ones here is important, or this becomes
difficult to use.

Kyle Fazzari (kyrofa)
Software Engineer
Canonical Ltd.
kyle at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Snapcraft mailing list