Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prep work for supporting multiple lockfile versions #27

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

stringbean
Copy link
Owner

Improves lockfile parsing ready for the addition of lockfile v2.

@stringbean stringbean added the enhancement New feature or request label Jul 4, 2021
@stringbean stringbean self-assigned this Jul 4, 2021
@roberth
Copy link

roberth commented Sep 21, 2021

It'd be great if sbt-dependency-lock could switch to sha256 and this seems like a good opportunity to do so.
By switching to a secure hash, the lock file can be used to retrieve dependencies from an untrusted content addressable store such as IPFS securely.

@roberth
Copy link

roberth commented Sep 21, 2021

Also, if you're interested, you could switch to the SRI hash format, roughly algorithm followed by - followed by base64. It originates from a web specification, but is also used by the Nix package manager nowadays. This isn't nearly as important as switching to a secure hash, but I figured I'd share it.
You could still require only sha256 because simple is good when it comes to security. If sha256 breaks, you'll want everyone to upgrade anyway and have no uncertainty about the effectiveness of the upgrade. "have one joint and keep it well oiled" -- Adam Langley

@colindean
Copy link

👍 to SRI hash format, TIL it has a name. https://www.srihash.org has a nice tester with the content of https://www.srihash.org being sha256-uy7gpfhgyj+3Ylw65ROY6YOXHoC0M7Acb11Cd7pf1GU as of this posting.

Defaulting to including sha256 would be sane but enabling the user to opt into other formats explicitly or just choose one additional as the "best available" would be cool. Opting-into best-available would choose sha256 as a baseline but then also record something like sha3. Checking would consume the best available in some preference list.

@stringbean stringbean added this to the v2 milestone Jul 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants