1 |
> manifest-hashes = SHA512 SHA3-512 WHIRLPOOL |
2 |
> |
3 |
> Your thoughts? |
4 |
|
5 |
I just want to point out that according to GLEP 63 we only require pgp |
6 |
signatures with at least sha-256 [1]. Further, our PGP signatures by the |
7 |
release team are as well either SHA-256/SHA-512. |
8 |
|
9 |
So using SHA3-512 (or whirlpool for that matter) is nice but it feels a |
10 |
bit like overdoing it a bit. What about simply SHA512 and calling it a |
11 |
day? |
12 |
|
13 |
Further, it might be a good time to finally resolve the issue with our |
14 |
rsync integrity for users. (What is the gain of using a secure hash |
15 |
algorithm in the manifests if you can simply replace the manifest with a |
16 |
MITM attack on the rsync update?) |
17 |
|
18 |
Best, |
19 |
Matthias |
20 |
|
21 |
[1] https://wiki.gentoo.org/wiki/GLEP:63#Specifications_for_GnuPG_keys |