Version 2 of SWHID, ISO/IEC 18670:2025?
Stefano Zacchiroli
zack at upsilon.cc
Mon Jan 19 16:20:31 UTC 2026
On Mon, Jan 19, 2026 at 04:17:49PM +0100, Simon Josefsson wrote:
> How about using SHA3-256 and base64 encoded hash values?
As a methodological answer, this is the kind of conversation that best
belongs to the SWHID WG, rather than here.
That said, your arguments against SHA2 (256) is well taken. One argument
in *favor* of SHA2-256 is Git compatibility --- which in the supply
chain context is a real plus, as it will ease cross-reference
information from different sources, even when one lacks the referenced
material (to compute other hashes). Some of the arguments that made Git
decide the way they did also apply to SWHIDv2.
Regarding encoding: yes, base64 is a possibility that we are
considering.
Cheers
--
Stefano Zacchiroli - https://upsilon.cc/zack
Full professor of Computer Science, Polytechnic Institute of Paris
Co-founder & CSO Software Heritage
More information about the rb-general
mailing list