| 1 |
Hi, everyone. |
| 2 |
|
| 3 |
The Council has approved the manifest-hashes switch on 2017-11-12 |
| 4 |
meeting [1]. The transition will occur to the initial plan, with small |
| 5 |
changes. The updated plan is included at the end of this mail. |
| 6 |
|
| 7 |
According to this plan, BLAKE2B will be enabled on 2017-11-21. This |
| 8 |
means that starting at this time, all new and updated DIST entries will |
| 9 |
use BLAKE2B+SHA512. Old DIST entries will still use the current hash set |
| 10 |
until updated. |
| 11 |
|
| 12 |
The developers are required to upgrade to a package manager supporting |
| 13 |
this hash. That is: |
| 14 |
|
| 15 |
a. Portage 2.3.5 when using py3.6+, |
| 16 |
|
| 17 |
b. Portage 2.3.13 + pyblake2 installed manually, |
| 18 |
|
| 19 |
c. Portage 2.3.13-r1 that includes the pyblake2 dep. |
| 20 |
|
| 21 |
Modern (and old) Portage will refuse to update Manifests if it does not |
| 22 |
support the necessary hashes. However, Portage versions between 2.3.5 |
| 23 |
and 2.3.13 inclusively will create Manifests missing BLAKE2B hash rather |
| 24 |
than failing when no hash provider is present. Those Manifests will be |
| 25 |
rejected by the git hook. |
| 26 |
|
| 27 |
Users will not be affected noticeably as the SHA512 hash continues being |
| 28 |
used for compatibility. |
| 29 |
|
| 30 |
|
| 31 |
That said, I'd like to request developers not to start proactively |
| 32 |
converting all old Manifest entries to the new set immediately, |
| 33 |
and instead give some time for things to settle down. |
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
The updated plan |
| 38 |
================ |
| 39 |
|
| 40 |
Already done: |
| 41 |
|
| 42 |
- revbumped Portage with pyblake2 dep and started stabilizing it, |
| 43 |
|
| 44 |
- added git update hook to reject invalid Manifest entries. |
| 45 |
|
| 46 |
2017-11-21 (T+7d): |
| 47 |
|
| 48 |
- manifest-hashes = BLAKE2B SHA512 |
| 49 |
|
| 50 |
2018-02-14 (T+3m): |
| 51 |
|
| 52 |
- manifest-required-hashes = BLAKE2B |
| 53 |
|
| 54 |
2018-05-14 (T+6m): |
| 55 |
|
| 56 |
- last rite fetch-restricted packages that do not use BLAKE2B. |
| 57 |
|
| 58 |
The final removal of SHA512 will be decided by the Council separately. |
| 59 |
|
| 60 |
|
| 61 |
-- |
| 62 |
Best regards, |
| 63 |
Michał Górny |
Archives