You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
SHA1 isn't considered secure anymore and will keep us from getting 100% of the OpenSSF best practices, see #103
Describe the solution you'd like
The hashlib Python library already used by rdiff-backup supports all kind of algorithms, so that it should be comparatively easy to use any kind of algorithm.
Instead of SHA1Digest 9801739daae44ec5293d4e1f53d3f4d2d426d91c, we could have something like: Digest sha1:9801739daae44ec5293d4e1f53d3f4d2d426d91c or:
Where of course sha1 could be replaced by sha256 & Co
Describe alternatives you've considered
I'm asking myself the question if one hash algorithm per repository wouldn't be a better choice, it would make things possibly easier, but then it would make changing the hash algorithm more difficult.
Additional context
according to first few tests, sha256 is more secure and not really slower than sha1 so that it could become the new default
we will need a feature to convert old repositories, perhaps even a feature to change from one hashing algorithm to the next
and a new option to set the default hashing algorithm will be required
update accordingly the OpenSSF entry
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
SHA1 isn't considered secure anymore and will keep us from getting 100% of the OpenSSF best practices, see #103
Describe the solution you'd like
The hashlib Python library already used by rdiff-backup supports all kind of algorithms, so that it should be comparatively easy to use any kind of algorithm.
Instead of
SHA1Digest 9801739daae44ec5293d4e1f53d3f4d2d426d91c
, we could have something like:Digest sha1:9801739daae44ec5293d4e1f53d3f4d2d426d91c
or:Where of course sha1 could be replaced by sha256 & Co
Describe alternatives you've considered
I'm asking myself the question if one hash algorithm per repository wouldn't be a better choice, it would make things possibly easier, but then it would make changing the hash algorithm more difficult.
Additional context
The text was updated successfully, but these errors were encountered: