Gentoo Archives: gentoo-dev

From: Jonas Stein <jstein@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] proposal: use only one hash function in manifest files
Date: Tue, 05 Apr 2022 21:13:19
In Reply to: [gentoo-dev] proposal: use only one hash function in manifest files by "Jason A. Donenfeld"
1 Hi
3 > I'd like to propose the following for portage:
4 >
5 > - Only support one "secure" hash function (such as sha2, sha3, blake2, etc)
6 > - Only generate and parse one hash function in Manifest files
7 > - Remove support for multiple hash functions
9 No, this has no benefit.
11 > In other words, what are we actually getting by having _both_ SHA2-512
12 > and BLAKE2b for every file in every Manifest?
14 Implementations are often broken and we have to expect zero day attacks
15 on hashes and on signatures. Hence it does not hurt to have a second hash.
17 It is very likely that we can not trust in X for a while in the next
18 years, but it is very unlikely that two different implementations are
19 affected.
21 Additionally calculating a second hash does not cost anything.
22 This was also the outcome of the discussion some time ago here.
24 --
25 Best,
26 Jonas