Archives
Archives
| From: | Ulrich Mueller <ulm@g.o> | ||
|---|---|---|---|
| To: | "Jason A. Donenfeld" <zx2c4@g.o> | ||
| Cc: | gentoo-dev@l.g.o, Matt Turner <mattst88@g.o> | ||
| Subject: | Re: [gentoo-dev] proposal: use only one hash function in manifest files | ||
| Date: | Tue, 05 Apr 2022 20:15:31 | ||
| Message-Id: | ufsmr5lto@gentoo.org | ||
| In Reply to: | Re: [gentoo-dev] proposal: use only one hash function in manifest files by "Jason A. Donenfeld" |
||
| 1 | >>>>> On Tue, 05 Apr 2022, Jason A Donenfeld wrote: |
| 2 | |
| 3 | > Huh. Something not brought up there or https://bugs.gentoo.org/784710 |
| 4 | > is the fact that the _security_ of the system reduces to SHA-512 as |
| 5 | > used by our GPG signatures. |
| 6 | |
| 7 | The hash algorithm would be the least of my concerns about the security |
| 8 | of these signatures. |
| 9 | |
| 10 | IIUC, the secret signing key is stored on a machine that is connected to |
| 11 | the network (Infra, please correct me if I'm wrong). So there are other |
| 12 | more likely attack vectors than a preimage attack on a 512 bit hash |
| 13 | function. |
| 14 | |
| 15 | Also: https://xkcd.com/538/ :) |
| 16 | |
| 17 | Ulrich |
| File name | MIME type |
|---|---|
| signature.asc | application/pgp-signature |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] proposal: use only one hash function in manifest files | "Jason A. Donenfeld" <zx2c4@g.o> |