On 2024-03-14 at 12:47:16, Eric W. Biederman wrote: > That said I think a lot of think we do a lot of that today in practice > by simply detecting the length of the hash. That's only true for the dumb HTTP protocol. Everything else should not do that and we specifically want to avoid doing that, since we may very well end up with SHA-3-256 or another 256-bit hash instead of SHA-256 if there are sufficient cryptographic advances. In fact, if we're going to support reftables via the dumb HTTP protocol, then we should add some sort of capability advertisement that tells the remote side what functionality is supported, and simply specify the hash in that format. -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
