Provide better hashes for modfiles

Question

Provide better hashes for modfiles

leper opened this issue 6 years ago · 3 comments

leper commented 6 years ago

Currently the only checksum available for files is md5.

It would be nice if there's a checksum available that wasn't considered broken in the last century.

SHA-3 would be nice.

Answer 1 · 2018-01-10T02:09:35.000Z

Which hashes do your favorite package managers use?

At the moment md5 is provided because the primary aim is to verify the file download is complete. Collisions are not really a consideration.

Answer 2 · 2018-01-10T02:44:45.000Z

They handle that by signing files, but among the things used for those are BLAKE2, SHA256 and I guess if you start looking you are going to find more easily.

I guess BLAKE2 could be interesting given that it tends to be quite fast. I'd probably not start using SHA-2 when SHA-3 is already out there, but the same applies to MD5.

Answer 3 · 2018-01-10T03:32:24.000Z

I saw some recommendations for BLAKE2. Will look into it.