| 1 |
On Tue, Oct 24, 2017 at 9:40 PM, Robin H. Johnson <robbat2@g.o> wrote: |
| 2 |
> On Tue, Oct 24, 2017 at 11:33:39PM +0200, Allan Wegan wrote: |
| 3 |
>> >> That is currently the case with portage, but not an inevitable |
| 4 |
>> >> consequence of having 3 hash functions in the Manifest. Portage could |
| 5 |
>> >> be made to check only one or two of them (even by default), giving |
| 6 |
>> >> the tie-breaking ability to those who need it, and speeding up things |
| 7 |
>> >> for those who don't. |
| 8 |
>> > No, it can't. The specification (GLEP 59) requires it to check all |
| 9 |
>> > hashes. |
| 10 |
>> |
| 11 |
>> Of course it can: The code of the specification just has to be changed |
| 12 |
>> before changing the code of portage. The question is not whether it is |
| 13 |
>> possible to make portage skip hash verification - but whether it is a |
| 14 |
>> good idea to make it do that... |
| 15 |
>> |
| 16 |
>> I would not mind as long as the default is to always check all the |
| 17 |
>> hashes and the option to disable it is properly named (like |
| 18 |
>> "--disable-hash-verification" or something similar) and documented. |
| 19 |
> At that point, and this is a serious proposal: |
| 20 |
> The package manager shall decide which hashes to check, but is required |
| 21 |
> to check at least one hash. The choice may be 'fastest', 'most secure', |
| 22 |
> or any local factor. |
| 23 |
> |
| 24 |
> For local values of 'most secure' or 'fastest'. |
| 25 |
> |
| 26 |
> I wrote GLEP59, and specified at the time that all hashes should be |
| 27 |
> checked, based on prior experience with hash implementation problems. |
| 28 |
> |
| 29 |
> Skipping them entirely is a bad idea, but only checking one of them is a |
| 30 |
> reasonable suggestion. |
| 31 |
> |
| 32 |
|
| 33 |
The talk on gentoo-dev related to the security of hash functions still |
| 34 |
has me confused as to why anyone would want to remove the |
| 35 |
alternatives. Arguably this gives the setup most of its security. |
| 36 |
|
| 37 |
I acknowledge Mr. Böck's observation that most programs only use one |
| 38 |
hash. When I first encountered portage, I thought the use of multiple |
| 39 |
hashes was a very novel and security conscious design choice. The cost |
| 40 |
is negligible compared to the difficulty it adds to generating a |
| 41 |
collision. |
| 42 |
|
| 43 |
Of course, the difficulty of generating a collision that results in |
| 44 |
usable code is still very high, but there was an interesting paper |
| 45 |
that described how it could be easier than most people think. I am not |
| 46 |
sure how to find it again. It was based on the principle that the |
| 47 |
solution space for collisions that were valid was actually far denser |
| 48 |
than the solution space of all collisions. One of the results of this |
| 49 |
is that finding usefully malicious collisions is probably easier than |
| 50 |
finding a collision in general, although there may be more non-useful |
| 51 |
collisions overall. |
| 52 |
|
| 53 |
> I retract my prior suggestion that there should be 3 hashes, as I |
| 54 |
> realize a key statements in GLEP59 that were NEVER implemented: |
| 55 |
>>> - Removal of depreciated checksums shall happen after no less than 18 |
| 56 |
>>> months or one major Portage version cycle, whichever is greater. |
| 57 |
>>> ... |
| 58 |
>>> After the majority of Portage installations include SHA512 support: |
| 59 |
>>> - Remove SHA256. |
| 60 |
> |
| 61 |
> This GLEP to update the GLEP59 specification should state the following: |
| 62 |
> - The package manager or verification tool is required to verify at |
| 63 |
> least one hash, preferably the strongest supported hash. |
| 64 |
> - Multiple hashes may be present for transitional periods. |
| 65 |
> - SHA3 or BLAKE2B shall be added to the official Manifest2 hashes. |
| 66 |
> |
| 67 |
|
| 68 |
|
| 69 |
I'm still kind of confused as to why these changes are being made. Can |
| 70 |
they be justified? |
| 71 |
|
| 72 |
> For implementation: |
| 73 |
> - Generation of WHIRLPOOL and SHA256 shall be disabled in the next |
| 74 |
> Portage minor release (as soon as possible) |
| 75 |
> - Generation of the next choice of hash, SHA3 or BLAKE2B shall be |
| 76 |
> enabled in an upcoming minor Portage release (soon) |
| 77 |
> - 18 months after the next GLEP is approved, SHA512 shall be dropped |
| 78 |
> (put the date into the Portage code so it happens automatically this |
| 79 |
> time, unlike SHA256 that should have been removed in 2010!). |
| 80 |
> |
| 81 |
|
| 82 |
This makes sense, but I would hope deprecation can be justified in a useful way. |
| 83 |
|
| 84 |
Cheers, |
| 85 |
R0b0t1 |
Archives