Open stringbean opened 3 years ago
roberth
commented
2 years ago It'd be great if sbt-dependency-lock could switch to sha256 and this seems like a good opportunity to do so. By switching to a secure hash, the lock file can be used to retrieve dependencies from an untrusted content addressable store such as IPFS securely.
roberth
commented
2 years ago Also, if you're interested, you could switch to the SRI hash format, roughly algorithm followed by - followed by base64. It originates from a web specification, but is also used by the Nix package manager nowadays. This isn't nearly as important as switching to a secure hash, but I figured I'd share it.
You could still require only sha256 because simple is good when it comes to security. If sha256 breaks, you'll want everyone to upgrade anyway and have no uncertainty about the effectiveness of the upgrade. "have one joint and keep it well oiled" -- Adam Langley
colindean
commented
1 year ago 👍 to SRI hash format, TIL it has a name. https://www.srihash.org has a nice tester with the content of https://www.srihash.org being sha256-uy7gpfhgyj+3Ylw65ROY6YOXHoC0M7Acb11Cd7pf1GU as of this posting.
Defaulting to including sha256 would be sane but enabling the user to opt into other formats explicitly or just choose one additional as the "best available" would be cool. Opting-into best-available would choose sha256 as a baseline but then also record something like sha3. Checking would consume the best available in some preference list.
Improves lockfile parsing ready for the addition of lockfile v2.