1 |
On Fri, Oct 20, 2017 at 12:49 AM, Gordon Pettey <petteyg359@×××××.com> |
2 |
wrote: |
3 |
|
4 |
> On Thu, Oct 19, 2017 at 5:32 PM, Hanno Böck <hanno@g.o> wrote: |
5 |
> |
6 |
>> On Thu, 19 Oct 2017 21:08:40 +0200 |
7 |
>> Michał Górny <mgorny@g.o> wrote: |
8 |
>> |
9 |
>> > manifest-hashes = SHA512 SHA3_512 |
10 |
>> |
11 |
>> Counterproposal: Just use SHA512. |
12 |
>> |
13 |
>> There isn't any evidence that any SHA2-based hash algorithm is going to |
14 |
>> be broken any time soon. If that changes there will very likely be |
15 |
>> decades of warning before a break becomes practical. |
16 |
>> |
17 |
>> Having just one hash is simpler and using a well supported one like |
18 |
>> SHA512 may make things easier than using something that's still not |
19 |
>> very widely supported. |
20 |
> |
21 |
> |
22 |
> Yet having more than one lets you match make sure nobody hijacked your |
23 |
> manifest file when an attack vector is inevitably discovered for the old |
24 |
> new algorithm (whether SHA2, SHA3, or BLAKE2), because you'll be able to |
25 |
> confirm the file is the same one that matched the old checksum in addition |
26 |
> to the new one. |
27 |
> |
28 |
|
29 |
As Hanno was saying, we'll have decades of warning before a break becomes |
30 |
practical, so I don't think this is a real concern. |
31 |
|
32 |
I think the problem of having this discussion on gentoo-dev this way is |
33 |
that people with vastly different levels of security/crypto expertise are |
34 |
discussing different options without much regard for the level of expertise |
35 |
(and maybe even unaware of others' relevant expertise). |
36 |
|
37 |
I support Hanno's suggestion of doing just SHA512, but would be interested |
38 |
in hearing opinions from others who have apparent security/crypto |
39 |
experience. Maybe the Security project can weigh the suggestions as well? |
40 |
|
41 |
Cheers, |
42 |
|
43 |
Dirkjan |