| 14 Oct 2025 |
 emily | since people have already put work into treewides/warnings for it | 16:30:06 |
 K900 | It doesn't have to be passed in as sha256 = | 16:30:09 |
| K900 | hash = "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" works | 16:30:30 |
| K900 | (is this stupid? yes. are we stuck with it? also yes) | 16:30:35 |
| emily | sha256:… is worse IMO, since that is just a pretty arbitrary non-standard format | 16:30:36 |
| emily | AIUI on the Nix end at least it's explicitly considered legacy/compat | 16:30:43 |
| K900 | Yes but it's a format we already have that doesn't require exposing weird API surface for the problem that convertHash is used to actually solve | 16:31:09 |
| emily | as in if I had to choose between proliferating sha256 = …; and hash = "sha256:" + …; I'd pick the former | 16:31:23 |
| K900 | And if we ever end up in a world where only SRI is accepted, I'd rather have a builtins.legacyHashToSRI or whatever | 16:31:41 |
