search

audreyt / module-signature

Module signature file manipulation
http://github.com/audreyt/module-signature
16 stars 28 forks source link

Use SHA-256 as the default digest. #9

Closed bk2204 closed 2 years ago

bk2204 commented 9 years ago

SHA-1 is presently considered weak, and most experts suggest transitioning to something better. Use SHA-256 by default instead, as it is presently considered secure and it works well on 32-bit systems.

I considered SHA-512, which is significantly faster on 64-bit systems (and more secure), but I believe Digest::SHA requires a compiler that supports 64-bit integers for that, and as we all know Perl runs on some positively ancient systems. Either way, changing away from Digest::SHA1 will require a non-core module for Perl before 5.9.3, but I don't consider this to be a problem given the improvement in security.

The t/3-verify.t test may require updating at some point, as the grep currently looks for "SHA1", but all the tests currently pass for me.

audreyt commented 2 years ago

This has been implemented since 0.82 in 2018.