Open corburn opened 11 months ago
SGTM, cc @opencontainers/go-digest-maintainers PTAL
overall SGTM; there's one thing I was wondering the other day; when I made my PR (some time ago) to register the default algorithms automatically, that also included sha384 (as it "came with the package"), however the OCI spec doesn't list it (I think; on my phone right now), so I wonder if we should register it by default, or somehow make it optional; https://github.com/opencontainers/go-digest/blob/5d0a5887d13072aa79dce1a3f4c4a39a3f013053/sha.go#L21
(basically; it's easier to add these things, than to remove, once released)
@thaJeztah agreed a future release could add registering SHA384 by default.
Hm, ok, so I had my wires crossed, and thought that before https://github.com/opencontainers/go-digest/commit/084376bb543d4ce80b030a77a6f51f3b3fd861dc, the SHA-384 was not registered, but it already was (but could not be used by default, unless "crypto/sha512"
was imported.
So removing SHA384 would be a breaking change (and require a major version bump (V2); https://github.com/opencontainers/go-digest/pull/97#discussion_r1466954777
I did open a PR to somewhat improve docs (recommended use / not use);
And perhaps we should indeed consider to remove the "not recommended" algorithms from the default for a V2.0 (don't register SHA-512 and SHA-384 by default, and don't import "crypto/sha512"
)
It's been a few years since the 1.0.0 release with many changes since. Is it possible to cut a stable release? I like the addition of the the Digester interface.