Gentoo Archives: gentoo-dev

From:	Matthias Maier <tamiko@g.o>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them
Date:	Mon, 03 Apr 2017 17:25:28
Message-Id:	`878tnhflos.fsf@kestrel.kyomu.43-1.org`
In Reply to:	[gentoo-dev] [RFC] New Manifest hashes and how to enable them by "Michał Górny"

1	> manifest-hashes = SHA512 SHA3-512 WHIRLPOOL
2	>
3	> Your thoughts?
4
5	I just want to point out that according to GLEP 63 we only require pgp
6	signatures with at least sha-256 [1]. Further, our PGP signatures by the
7	release team are as well either SHA-256/SHA-512.
8
9	So using SHA3-512 (or whirlpool for that matter) is nice but it feels a
10	bit like overdoing it a bit. What about simply SHA512 and calling it a
11	day?
12
13	Further, it might be a good time to finally resolve the issue with our
14	rsync integrity for users. (What is the gain of using a secure hash
15	algorithm in the manifests if you can simply replace the manifest with a
16	MITM attack on the rsync update?)
17
18	Best,
19	Matthias
20
21	[1] https://wiki.gentoo.org/wiki/GLEP:63#Specifications_for_GnuPG_keys

File name	MIME type
signature.asc	application/pgp-signature

Subject	Author
Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them	"Vadim A. Misbakh-Soloviov" <gentoo@×××.name>