| 1 |
On Thursday 21 September 2006 10:00, Brian Harring wrote: |
| 2 |
> On Thu, Sep 21, 2006 at 09:49:18AM -0400, Mike Frysinger wrote: |
| 3 |
> > On Thursday 21 September 2006 09:34, Marius Mauch wrote: |
| 4 |
> > > Manifest2 records do not contain a MD5 checksum. The only guaranteed |
| 5 |
> > > checksum type there is SHA1. So once manifest1 is phased out the tree |
| 6 |
> > > will not contain MD5 checksums anymore. |
| 7 |
> > |
| 8 |
> > by "guaranteed" do you mean "guaranteed to be in the records" ? SHA1 has |
| 9 |
> > proven to be "insecure" like MD5 |
| 10 |
> |
| 11 |
> Guranteed to be in the chksum data; iow, when manifest2 is switched |
| 12 |
> over to fully all manifest1/digest data becomes effectively invisible |
| 13 |
> to portage and is filtered out on commits. |
| 14 |
> |
| 15 |
> So... what's guranteed in manifest2 now is just sha1. In reality, it |
| 16 |
> holds size/sha1/sha256/rmd160 per file entry. |
| 17 |
|
| 18 |
ok, but it just seems silly to go cutting MD5 but leaving SHA1 ... if we're |
| 19 |
going to be leaving an insecure format, we might as well keep the one that is |
| 20 |
a virtual standard in and of itself (MD5) |
| 21 |
-mike |
Archives