I notice that CertMagic uses Blake3 for the certCache.cache key. What’s the rationale for that? Why not use the tried and true sha256?
I’ve read that Bruce Schneier favors Blake2 over Sha1 and that it has some performance benefits, but I also know that the Go team isn’t particularly concerned or interested in Blake3, which seems a strong signal to me that its benefits don’t outweigh the cost to them of maintainership.
Is there really that much benefit to bring in a somewhat experimental hash algorithm as a dependency for a single call site?
(I imagine it may be used in other places in the broader codebase as well, but that’s all I’ve seen so far)
I doubt it does any harm other than the small risk of adding a supply chain attack vector (which seems very unlikely to be of consequence), but the dependencies for CertMagic are particularly well pared down, so I’m wondering what makes Blake3 so compelling for this use case?
P.S. I’m also curious to know why blake3 is using the cpuid dependency rather than the Go team’s avx2 / sse4 detection: Why use `klauspost/cpuid` rather than `x/sys/cpu` for avx2 and sse4 detection? · Issue #29 · zeebo/blake3 · GitHub