| 1 |
Hi, everyone. |
| 2 |
|
| 3 |
The previous discussion on Manifest2 hashes pretty much died away |
| 4 |
pending fixes to Portage. Since Portage was fixed a while ago, and we |
| 5 |
can now safely switch, I'd like to reboot the discussion before |
| 6 |
submitting the item for the next Council meeting. |
| 7 |
|
| 8 |
Considering all arguments made so far, I'd like to propose changing: |
| 9 |
|
| 10 |
manifest-hashes = SHA256 SHA512 WHIRLPOOL |
| 11 |
|
| 12 |
to: |
| 13 |
|
| 14 |
manifest-hashes = SHA512 SHA3_512 |
| 15 |
|
| 16 |
In other words, removing SHA256 and WHIRLPOOL, and adding SHA3_512. |
| 17 |
|
| 18 |
|
| 19 |
Rationale |
| 20 |
--------- |
| 21 |
|
| 22 |
1. The main argument for using multiple hashes is to prevent the (very |
| 23 |
unlikely) possibility that if a weakness is discovered in one of |
| 24 |
the hashes, the other would still hold. This is given by using two |
| 25 |
algorithms; more than two do not increase security significantly, while |
| 26 |
they do increase performance cost. |
| 27 |
|
| 28 |
2. For the above to hold, the hashes should be diverse. SHA256 |
| 29 |
and SHA512 are the same algorithm, so a weakness discovered in either |
| 30 |
would probably apply to both -- keeping both does not make sense at all. |
| 31 |
Furthermore, both SHA2 and WHIRLPOOL use the same construct (MD), so |
| 32 |
a weakness in the construct would apply to both. |
| 33 |
|
| 34 |
3. Keeping one of the three old hashes is necessary for compatibility |
| 35 |
reasons. Furthermore, the current versions of Portage consider SHA512 |
| 36 |
obligatory, so we can't remove it without redesigning Portage first |
| 37 |
(though I think this applies only to developer installs, i.e. those |
| 38 |
creating Manifests). |
| 39 |
|
| 40 |
4. The new hashes that are stronger and commonly available are |
| 41 |
SHA3/Keccak (using sponges) and BLAKE2 (HAIFA). Both are diverse from |
| 42 |
our current algorithms, so either is a good candidate. The choice of |
| 43 |
Keccak is purely arbitrary (because it's the winner?). |
| 44 |
|
| 45 |
All the above considered, I think it's most reasonable to use two hashes |
| 46 |
with diverse constructs. SHA512 needs to be one of them, for |
| 47 |
compatibility reasons. The other could be either SHA3_512 or BLAKE2B, |
| 48 |
as a strong, future-proof hash. SHA3 is probably a better choice because |
| 49 |
it's going to have more support as the official recommendation. |
| 50 |
|
| 51 |
-- |
| 52 |
Best regards, |
| 53 |
Michał Górny |
Archives