This repository has been archived by the owner on May 20, 2021. It is now read-only.
Force a move from sha1 to sha256 or sha512 #125
Comments
grahamc
changed the title
|
Just a note that since 2017 both yarn and npm use sha512 by default (sha1 is only used for compatibility with legacy packages). The |
|
Sounds good, then it won't require many packages to be rehashed to get a sha-512. |
10 tasks
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
sha1 is pretty broken: https://sha-mbles.github.io/
I think it is time to force a move to sha256. If npm isn't providing better than sha1, I think we should fetch the file, validate the sha1 matches, and then calculate a sha256.
What do you think about that? Right now, yarn2nix-built packages represent the vast majority of sha1 references in Nixpkgs, which we're trying to get rid of: NixOS/nixpkgs#77238
The text was updated successfully, but these errors were encountered: