Conversation
Includes content to recalculate hashes
|
I note that the test suite tests for SHA256 hashes and would need to be updated to comply with the updated SHA384 hashes. |
|
Thanks but this will cause every existing installation to break. You need to implement this as a plugin option and offer an interface to select one or more hash algorithms. I am fine with SHA-384 being the new default but I will not merge a change that breaks existing deployments. |
I believe I covered that off with this PR. It will detect SHA256 hashes (based on strlen(hash)=44) for each tag it's considering and upgrade them to sha384 automatically. Hence would be seamless for any existing installation. It would do this at the time it's inserted into the code, so you'd never have a SHA hash that mismatches the sha384 prefix. |
|
Oh, I see, I missed that. I'm sorry. I still want this to be an option, since the W3C's spec permits a choice of algorithms. I'd rather move closer to the spec than replace one algorithm with another outright. |
|
Agreed, but that’s involves UI changes as well, so I’ll heed to your direction on that. All of the CDNs including Google and MaxCDN use SHA384 now so it seems to be the standard people use and should be the default. |
|
Agreed, and again, SHA384 would be a good default but I feel iffy about changing people's existing deployments. I don't know when I'll have time to extend the UI but I appreciate this patch and I'll circle back to this eventually. |
|
What if, for the interim, I make it generate sha384 for new codes but still show the older codes without upgrading them? That would not fiddle with any existing web sites which would already have the 44 character codes but provide new sha384 for for new files (which probably don’t exist on existing web sites) |
|
No. At that point you are just making more work for me unnecessarily. There is nothing insecure about SHA-256. I will release a future version with SHA-384 support and it will be done in one revision cycle, not multiple. If you don't want to write the GUI portions, that's fine, but then the release happens on my timeline when I have the personal resources to do it, not through some compromise or half-baked rush job. |
Includes content to recalculate hashes