Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev-announce@l.g.o
Cc: gentoo-dev@l.g.o
Subject: [gentoo-dev] Obsolete manifest-hashes in third-party repositories
Date: Fri, 30 Dec 2022 12:50:58
1 Hello, everyone.
3 TL;DR: if you're running your own repostiory, please 1) make sure that
4 you don't include deprecated hashes in manifest-hashes, and 2) consider
5 removing custom manifest-hashes and just going with the default.
8 Many third-party Gentoo repositories right now include manifest-hashes
9 declaration in their metadata/layout.conf. From a quick look, I think
10 that at least some of them are copied from ::gentoo at a particular
11 time, and eventually grew out of date.
13 One hash of particular concern is WHIRLPOOL. As of OpenSSL-3, it is not
14 provided by default by OpenSSL-3 and therefore Portage started falling
15 back to the very slow Python implementation. And by "very slow", I
16 actually mean atrociously slow -- it takes 6 seconds to hash a 1 MiB
17 file here [1].
19 While there are measures in place to avoid this, it brings a more
20 general problem of outdated hashes to my attention. Therefore, I'd like
21 to ask repository owners to:
23 1) Consider if they really need to redefine manifest-hashes. The key is
24 not mandatory, and if the defaults work fine for you, please just remove
25 it and let the PMs use the defaults.
27 2) Check if their custom manifest-hashes aren't obsolete. At least MD5,
28 SHA1, RMD160 and WHIRLPOOL hashes should be considered deprecated
29 at this moment. I'd also recommend including at least one BLAKE2
30 (BLAKE2B, BLAKE2S) or SHA2 (SHA256, SHA512) variant for the best
31 interoperability combined with security.
33 3) Regenerate Manifests if they have changed manifest-hashes.
35 TIA.
38 [1]
40 --
41 Best regards,
42 Michał Górny