On Sun, May 09 2021, brian m. carlson wrote: > [[PGP Signed Part:Undecided]] > On 2021-05-08 at 02:22:25, dwh@xxxxxxxxxxxxxxxxxxx wrote: >> Hi Everybody, >> >> I was reading through the >> Documentation/technical/hash-function-transition.txt doc and realized >> that the plan is to support allowing BOTH SHA1 and SHA256 signatures to >> exist in a single object: >> >> > Signed Commits >> > 1. using SHA-1 only, as in existing signed commit objects >> > 2. using both SHA-1 and SHA-256, by using both gpgsig-sha256 and gpgsig >> > fields. >> > 3. using only SHA-256, by only using the gpgsig-sha256 field. >> > >> > Signed Tags >> > 1. using SHA-1 only, as in existing signed tag objects >> > 2. using both SHA-1 and SHA-256, by using gpgsig-sha256 and an in-body >> > signature. >> > 3. using only SHA-256, by only using the gpgsig-sha256 field. > > Yes, this is the case. We have tests for this case. > >> The design that I'm working on only supports a single signature that >> uses a combination of fields: one 'signtype', zero or more 'signoption' >> and one 'sign' in objects. I am thinking that the best thing to do is >> replace the gpgsig-sha256 fields in objects and allow old gpgsig (commits) >> and in-body (tags) signatures to co-exist along side to give the same >> functionality. > > You can't do that. SHA-256 repositories already exist and that would > break compatibility. >From memory this is at least the second time you've brought up this point on-list. My feeling is that almost nobody's using sha256 currently, and we have a very prominent ALL CAPS warning saying the format is experimental and may change, see ff233d8dda1 (Documentation: mark `--object-format=sha256` as experimental, 2020-08-16). I agree with the docs as they stand, and don't think we should hold back on changing the object format for sha256 in general if there's a compelling reason to do so. Whether this suggested change has a compelling reason is another matter (I haven't reviewed it). But it seems to me that if the main person pushing the sha256 effort disagrees with the content of Documentation/object-format-disclaimer.txt, we'd be better off at this point discussing a patch to change the wording there to something to the effect that we consider the format set in stone at this point.
