1 |
On Thursday 21 September 2006 10:00, Brian Harring wrote: |
2 |
> On Thu, Sep 21, 2006 at 09:49:18AM -0400, Mike Frysinger wrote: |
3 |
> > On Thursday 21 September 2006 09:34, Marius Mauch wrote: |
4 |
> > > Manifest2 records do not contain a MD5 checksum. The only guaranteed |
5 |
> > > checksum type there is SHA1. So once manifest1 is phased out the tree |
6 |
> > > will not contain MD5 checksums anymore. |
7 |
> > |
8 |
> > by "guaranteed" do you mean "guaranteed to be in the records" ? SHA1 has |
9 |
> > proven to be "insecure" like MD5 |
10 |
> |
11 |
> Guranteed to be in the chksum data; iow, when manifest2 is switched |
12 |
> over to fully all manifest1/digest data becomes effectively invisible |
13 |
> to portage and is filtered out on commits. |
14 |
> |
15 |
> So... what's guranteed in manifest2 now is just sha1. In reality, it |
16 |
> holds size/sha1/sha256/rmd160 per file entry. |
17 |
|
18 |
ok, but it just seems silly to go cutting MD5 but leaving SHA1 ... if we're |
19 |
going to be leaving an insecure format, we might as well keep the one that is |
20 |
a virtual standard in and of itself (MD5) |
21 |
-mike |