1 |
Hi Rich, |
2 |
|
3 |
On 4/6/22, Rich Freeman <rich0@g.o> wrote: |
4 |
> On Tue, Apr 5, 2022 at 8:05 PM Sam James <sam@g.o> wrote: |
5 |
> Our security fails currently if EITHER SHA2-512 or a hardened version |
6 |
> of SHA-1 are defeated. Our top gpg signature is bound to a git commit |
7 |
> record by SHA2-512, and the git commit record is bound to everything |
8 |
> else in the repository (including the manifest objects) by SHA-1, |
9 |
> because git hasn't transitioned away from that (as far as I'm aware it |
10 |
> is still a work in progress - the SHA-1 algorithm it uses is hardened |
11 |
> against known attacks). |
12 |
|
13 |
Sort of. The security between infra and users relies on SHA2-512. The |
14 |
security between devs and infra relies on SHA-1. I guess the "full |
15 |
system" depends on both, but I've been focused on the more likely |
16 |
issue of a community-run mirror serving bogus files. |
17 |
|
18 |
> I agree that this is an unlikely scenario, so it is a judgement call |
19 |
> as to whether the ease of recovery in the event of a failure is worth |
20 |
> the cost to maintain the second hash. I agree that we'd need double |
21 |
> algorithms in the whole stack to prevent a failure, but in the current |
22 |
> state we do have advantages for recovering from a failure after the |
23 |
> fact. |
24 |
> |
25 |
> It seems that the likely scenario is that we get advance warning of |
26 |
> weaknesses in a hash function, but without a practical exploit being |
27 |
> readily available. In that case we could do a more orderly |
28 |
> transition. We'd still save time with the double hashed manifests, |
29 |
> and whether this makes a difference is hard to say. |
30 |
|
31 |
Yea I see this argument, but I don't quite buy it. Maintaining two |
32 |
sets of hashes for the unlikely event that one gets broken AND we |
33 |
absolutely cannot incrementally transition gradually to an unbroken |
34 |
one seems rather overblown. |
35 |
|
36 |
Jason |