do not register sha384 by default #97
Conversation
thaJeztah
requested review from
AkihiroSuda,
dmcgowan,
stevvooe and
vbatts
as code owners
thaJeztah
force-pushed
the
remove_SHA384_default
branch
2 times, most recently
from
e40c566 to
5dee832
Compare
sha.go
Outdated
| @@ -18,6 +18,5 @@ const ( | |||
|
|
|||
| func init() { | |||
| RegisterAlgorithm(SHA256, crypto.SHA256) | |||
| RegisterAlgorithm(SHA384, crypto.SHA384) | |||
There was a problem hiding this comment.
This is a breaking change, do we need to bump up the major version?
There was a problem hiding this comment.
Hm.. good question. Before 084376b (not yet part of a release), neither of them would work out of the box unless the algorithms were registered, so perhaps some wiggle room, but you may be right that it could be a v2 worth if we decide to remove.
There was a problem hiding this comment.
(honestly not sure why SHA384 and SHA512 ever made it in at all, but 🤷♂️)
There was a problem hiding this comment.
We don't have full support in distribution-spec for clients changing the algorithm (e.g. clients cannot control the algorithm when pushing a manifest by tag). And I've managed to break (waves arms wildly) just about everything by testing sha512. So I think this would be a fairly safe breaking change to make without a major version bump (which would be the bigger breaking change IMO). We'll eventually fix distribution-spec, so leaving this could create more problems later.
A middle ground would have been a "Deprecated" comment, but there's no exported field to set that on.
|
Let me move this one to draft; I rebased #98 to not depend on this PR. |
The SHA-384 algorithm is not documented in the OCI image-spec ([1], [2]), and is not encouraged to be used. Commit 084376b registered all algorithms by default, but also included SHA-384. This patch disables SHA-384 by default, to discourage its use. [1]: https://github.com/opencontainers/image-spec/blob/v1.0.2/descriptor.md#digests [2]: https://github.com/opencontainers/image-spec/blob/v1.0.2/descriptor.md#registered-algorithms Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
remove_SHA384_default
branch
from
5dee832 to
dead9ba
Compare
|
I rebased this, but kept it in draft for now, pending the discussion on this being a breaking change (and warranting a v2 of this module) |
What should we do with this? |
|
I vote rebase and merge this, if that is being used it is likely for non-OCI stuff and the impact would be too small to worry about. |
related:
The SHA-384 algorithm is not documented in the OCI image-spec (1, 2), and is not encouraged to be used. Commit 084376b registered all algorithms by default, but also included SHA-384.
This patch disables SHA-384 by default, to discourage its use.