| 1 |
On 24/07/2021 16:16, Michał Górny wrote: |
| 2 |
> Hi, everyone. |
| 3 |
> |
| 4 |
> I've been asked to repost the idea of removing SHA512 hash from |
| 5 |
> Manifests, effectively limiting them to BLAKE2B. |
| 6 |
> |
| 7 |
> The 'old' set of Gentoo hashes including SHA512 went live in July 2012. |
| 8 |
> In November 2017, we have decided to remove the two other hashes and add |
| 9 |
> BLAKE2B in their stead. Today, all Gentoo packages are using BLAKE2B |
| 10 |
> and SHA512 hashes. |
| 11 |
> |
| 12 |
> To all extent, this is purely a cosmetic change. The benefit from |
| 13 |
> removing the additional hash is negligible, both from space perspective |
| 14 |
> and hashing speed perspective. The benefit from keeping two hashes is |
| 15 |
> also negligible. |
| 16 |
> |
| 17 |
> Back during the 2017 discussion, Infra came to the conclusion that we're |
| 18 |
> going to keep SHA512 for a transition period, then remove it, and stay |
| 19 |
> with a single hash algorithm. In my opinion, we have kept it long |
| 20 |
> enough. |
| 21 |
> |
| 22 |
> WDYT? |
| 23 |
> |
| 24 |
|
| 25 |
I use Gentoo heavily in my work but not a developer, so only offering a |
| 26 |
user perspective. I find SHA512 hashes in Manifests, of upstream |
| 27 |
provided tarballs (i.e. DIST entries) only, very useful when manually |
| 28 |
comparing with hashes provided by upstream sources. BLAKE2B may be |
| 29 |
better than SHA512 in certain respects but adoption elsewhere by |
| 30 |
comparison is extremely low. Granted SHA512 hashes of upstream files are |
| 31 |
certainly not plentiful (and it is shocking how many project still use |
| 32 |
MD5) but at least some projects provide them. I've personally never seen |
| 33 |
any project provide a BLAKE2B hash for a sources tarball. Additionally, |
| 34 |
as stated by someone else already, there is SHA512 hardware acceleration |
| 35 |
support on many systems. This can save precious time in certain |
| 36 |
scenarios when doing manual checks on large files. |
| 37 |
|
| 38 |
If there is little benefit to removing SHA512 it seems to me that there |
| 39 |
are significant benefits to keeping it. I for one would be quite |
| 40 |
disappointed to see it go. |
Archives