Gentoo Archives: gentoo-dev

From: Mike Frysinger <vapier@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Notification about MD5 support
Date: Thu, 21 Sep 2006 14:14:51
In Reply to: Re: [gentoo-dev] Notification about MD5 support by Brian Harring
On Thursday 21 September 2006 10:00, Brian Harring wrote:
> On Thu, Sep 21, 2006 at 09:49:18AM -0400, Mike Frysinger wrote: > > On Thursday 21 September 2006 09:34, Marius Mauch wrote: > > > Manifest2 records do not contain a MD5 checksum. The only guaranteed > > > checksum type there is SHA1. So once manifest1 is phased out the tree > > > will not contain MD5 checksums anymore. > > > > by "guaranteed" do you mean "guaranteed to be in the records" ? SHA1 has > > proven to be "insecure" like MD5 > > Guranteed to be in the chksum data; iow, when manifest2 is switched > over to fully all manifest1/digest data becomes effectively invisible > to portage and is filtered out on commits. > > So... what's guranteed in manifest2 now is just sha1. In reality, it > holds size/sha1/sha256/rmd160 per file entry.
ok, but it just seems silly to go cutting MD5 but leaving SHA1 ... if we're going to be leaving an insecure format, we might as well keep the one that is a virtual standard in and of itself (MD5) -mike


Subject Author
Re: [gentoo-dev] Notification about MD5 support Vlastimil Babka <caster@g.o>