1 |
Ulrich Mueller: |
2 |
>> So you are suggesting to not migrate at all or severely break the |
3 |
>> workflow because someone might forge _working code_ with a specific |
4 |
>> SHA1? There is no efficient algorithm for that afaik, those are just |
5 |
>> about finding _any_ collision and even then it takes considerable |
6 |
>> resources that can be used to break gentoo in much easier ways. |
7 |
> |
8 |
> Weakness of SHA-1 is discussed since several years, and it is |
9 |
> generally recommended that one should slowly move away from it. |
10 |
> Therefore I would find it strange if we (in 2014!) deployed a system |
11 |
> relying on it, while in our present Manifest files SHA-1 was already |
12 |
> abandoned long time ago, in favour of more secure hashes. It looks |
13 |
> like a move in the wrong direction. |
14 |
> |
15 |
|
16 |
You are only talking about hashes, not about practical security. |