Gentoo Archives: gentoo-dev

From: Denis Dupeyron <calchan@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] GLEP59 - Manifest2 hashes
Date: Tue, 02 Feb 2010 06:06:53
In Reply to: Re: [gentoo-dev] GLEP59 - Manifest2 hashes by Doug Goldstein
On Mon, Feb 1, 2010 at 1:23 AM, Doug Goldstein <cardoe@g.o> wrote:
> However, great work on this GLEP, you've put forth some good solid > research into it.
Agreed. I would suggest to use this series of GLEPs as examples of what to do for future GLEP writers.
> I do hope that we don't intend on settling on SHA512 as the end all > solution as well. We should retain a method for bumping the hashing > algorithm used when the SHA-3 family becomes available.
From the way I understand it the GLEP implies that we can add hashes at will. But that's a good point, and a one-liner somewhere making it explicit would be useful. Thus, in "What should be done" I would I would for example replace "We should be prepared to add stronger checksums wherever possible, and to remove those that have been defeated." with: "Stronger checksums shall be added as soon as an implementation is available in Portage. Weak checksums may be removed as long as the depreciation process is followed (see below)." And then, in "Checksum depreciation timing" I would prefer that the description of what needs to be done in the present situation was used as an example after a more general rule is stated. Something like: "At least one older algorithm must remain until the new one(s) has (have) been in stable Portage for minimum one year." The one year period is debatable, what matters is we have well defined rules in order to avoid future flamewars. Denis.


Subject Author
Re: [gentoo-dev] GLEP59 - Manifest2 hashes "Robin H. Johnson" <robbat2@g.o>