1 |
On Tue, Oct 24, 2017 at 9:40 PM, Robin H. Johnson <robbat2@g.o> wrote: |
2 |
> On Tue, Oct 24, 2017 at 11:33:39PM +0200, Allan Wegan wrote: |
3 |
>> >> That is currently the case with portage, but not an inevitable |
4 |
>> >> consequence of having 3 hash functions in the Manifest. Portage could |
5 |
>> >> be made to check only one or two of them (even by default), giving |
6 |
>> >> the tie-breaking ability to those who need it, and speeding up things |
7 |
>> >> for those who don't. |
8 |
>> > No, it can't. The specification (GLEP 59) requires it to check all |
9 |
>> > hashes. |
10 |
>> |
11 |
>> Of course it can: The code of the specification just has to be changed |
12 |
>> before changing the code of portage. The question is not whether it is |
13 |
>> possible to make portage skip hash verification - but whether it is a |
14 |
>> good idea to make it do that... |
15 |
>> |
16 |
>> I would not mind as long as the default is to always check all the |
17 |
>> hashes and the option to disable it is properly named (like |
18 |
>> "--disable-hash-verification" or something similar) and documented. |
19 |
> At that point, and this is a serious proposal: |
20 |
> The package manager shall decide which hashes to check, but is required |
21 |
> to check at least one hash. The choice may be 'fastest', 'most secure', |
22 |
> or any local factor. |
23 |
> |
24 |
> For local values of 'most secure' or 'fastest'. |
25 |
> |
26 |
> I wrote GLEP59, and specified at the time that all hashes should be |
27 |
> checked, based on prior experience with hash implementation problems. |
28 |
> |
29 |
> Skipping them entirely is a bad idea, but only checking one of them is a |
30 |
> reasonable suggestion. |
31 |
> |
32 |
|
33 |
The talk on gentoo-dev related to the security of hash functions still |
34 |
has me confused as to why anyone would want to remove the |
35 |
alternatives. Arguably this gives the setup most of its security. |
36 |
|
37 |
I acknowledge Mr. Böck's observation that most programs only use one |
38 |
hash. When I first encountered portage, I thought the use of multiple |
39 |
hashes was a very novel and security conscious design choice. The cost |
40 |
is negligible compared to the difficulty it adds to generating a |
41 |
collision. |
42 |
|
43 |
Of course, the difficulty of generating a collision that results in |
44 |
usable code is still very high, but there was an interesting paper |
45 |
that described how it could be easier than most people think. I am not |
46 |
sure how to find it again. It was based on the principle that the |
47 |
solution space for collisions that were valid was actually far denser |
48 |
than the solution space of all collisions. One of the results of this |
49 |
is that finding usefully malicious collisions is probably easier than |
50 |
finding a collision in general, although there may be more non-useful |
51 |
collisions overall. |
52 |
|
53 |
> I retract my prior suggestion that there should be 3 hashes, as I |
54 |
> realize a key statements in GLEP59 that were NEVER implemented: |
55 |
>>> - Removal of depreciated checksums shall happen after no less than 18 |
56 |
>>> months or one major Portage version cycle, whichever is greater. |
57 |
>>> ... |
58 |
>>> After the majority of Portage installations include SHA512 support: |
59 |
>>> - Remove SHA256. |
60 |
> |
61 |
> This GLEP to update the GLEP59 specification should state the following: |
62 |
> - The package manager or verification tool is required to verify at |
63 |
> least one hash, preferably the strongest supported hash. |
64 |
> - Multiple hashes may be present for transitional periods. |
65 |
> - SHA3 or BLAKE2B shall be added to the official Manifest2 hashes. |
66 |
> |
67 |
|
68 |
|
69 |
I'm still kind of confused as to why these changes are being made. Can |
70 |
they be justified? |
71 |
|
72 |
> For implementation: |
73 |
> - Generation of WHIRLPOOL and SHA256 shall be disabled in the next |
74 |
> Portage minor release (as soon as possible) |
75 |
> - Generation of the next choice of hash, SHA3 or BLAKE2B shall be |
76 |
> enabled in an upcoming minor Portage release (soon) |
77 |
> - 18 months after the next GLEP is approved, SHA512 shall be dropped |
78 |
> (put the date into the Portage code so it happens automatically this |
79 |
> time, unlike SHA256 that should have been removed in 2010!). |
80 |
> |
81 |
|
82 |
This makes sense, but I would hope deprecation can be justified in a useful way. |
83 |
|
84 |
Cheers, |
85 |
R0b0t1 |