| 1 |
Hi Ulrich, |
| 2 |
|
| 3 |
On Tue, Apr 5, 2022 at 4:10 PM Ulrich Mueller <ulm@g.o> wrote: |
| 4 |
> The OpenPGP signature is for the top-level Manifest only. In case there |
| 5 |
> was any trouble, it would be trivial to change the hash algorithm used |
| 6 |
> for this. |
| 7 |
> |
| 8 |
> In constrast to that, updating the hashes in all Manifest files is a |
| 9 |
> huge pain in the neck. Basically, you must download all distfiles, which |
| 10 |
> is not trivial. For example, think of fetch-restricted files. (I've |
| 11 |
> helped twice with updating Manifest files, so I believe I know what I'm |
| 12 |
> talking about. :) |
| 13 |
|
| 14 |
The thing is, if SHA-512 is broken, that will really be the least of |
| 15 |
our concerns. TLS itself will be broken.... |
| 16 |
|
| 17 |
Jason |
Archives