| 1 |
[Sent from my iPad, as it is not a secured device there are no cryptographic keys on this device, meaning this message is sent without an OpenPGP signature. In general you should *not* rely on any information sent over such an unsecure channel, if you find any information controversial or un-expected send a response and request a signed confirmation] |
| 2 |
|
| 3 |
> On 3 Apr 2017, at 18:09, Michał Górny <mgorny@g.o> wrote: |
| 4 |
> |
| 5 |
|
| 6 |
> Therefore, my proposal would be to use the following set once their |
| 7 |
> support reaches the stable version of Portage: |
| 8 |
> |
| 9 |
> manifest-hashes = SHA512 SHA3-512 WHIRLPOOL |
| 10 |
> |
| 11 |
> |
| 12 |
> Your thoughts? |
| 13 |
> |
| 14 |
|
| 15 |
SHA256 is perfectly fine to use from a security perspective, so no need to do anything from that point of view. The big difference between SHA256 and SHA512 is performance, you have significant gains of using sha256 on 32 bit architectures, whereby SHA512 is quite fine when having 64 bit registers. SHA512 is well-tested and already part of package managers etc, so I dont really have too strong opinions on making it mandatory and allow for sha256 to be replaced, as long as it is clear that it isn't required from a strict security view. |
| 16 |
|
| 17 |
As for SHA3 introduction, how well tested is the implementation used by the package managers, what are performance metrics etc? We don't really need this atm, but nice to have it in the package managers as a backup if that was to change, but should not be required digest algo |
| 18 |
|
| 19 |
(and yes, we really need to give Gentoo Keys all the help that we can in getting the OpenPGP signing ready, everything else is just bikeshedding until that is in place and it is a making me rather sad that we haven't managed to do this already) |
Archives