Version 2 of SWHID, ISO/IEC 18670:2025?
Simon Josefsson
simon at josefsson.org
Mon Jan 19 15:17:49 UTC 2026
Stefano Zacchiroli <zack at upsilon.cc> writes:
> But kpcyrd is fully right: while we wanted to standardize SWHIDv1
> because it was already (de facto) used out there, SWHIDv2 with stronger
> hashes is needed and we are already working on it. Tentatively we want
> to simply switch to SHA-2, with SHA-256 hashes, which would be a
> relatively easy standard upgrade. But at the same time it will also make
> textual hashes much longer, so we would *also* like to offer some more
> compact representations of hashes than hex (possibly as an optional
> alternative to hex encoding).
How about using SHA3-256 and base64 encoded hash values?
SHA2 was published in 2001. It suffers from the same Merkle-Damgard
limitations that SHA1 has. The SHA-3 algorithm was published in 2012.
There are incremental security results for SHA2:
https://en.wikipedia.org/wiki/SHA-2
If truly you are not relying on cryptographic properties, how about
using a non-cryptographic hash function like xxHash instead?
However I think that at some levels, your hash values will be used in
ways that have security implications, so using a modern and strong hash
algorithm seems prudent. I would not classify SHA2 as modern, it is
over 25 years old.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260119/973b90ea/attachment.sig>
More information about the rb-general
mailing list