| 1 |
Ulrich Mueller: |
| 2 |
>> So you are suggesting to not migrate at all or severely break the |
| 3 |
>> workflow because someone might forge _working code_ with a specific |
| 4 |
>> SHA1? There is no efficient algorithm for that afaik, those are just |
| 5 |
>> about finding _any_ collision and even then it takes considerable |
| 6 |
>> resources that can be used to break gentoo in much easier ways. |
| 7 |
> |
| 8 |
> Weakness of SHA-1 is discussed since several years, and it is |
| 9 |
> generally recommended that one should slowly move away from it. |
| 10 |
> Therefore I would find it strange if we (in 2014!) deployed a system |
| 11 |
> relying on it, while in our present Manifest files SHA-1 was already |
| 12 |
> abandoned long time ago, in favour of more secure hashes. It looks |
| 13 |
> like a move in the wrong direction. |
| 14 |
> |
| 15 |
|
| 16 |
You are only talking about hashes, not about practical security. |
Archives