1 |
Hello, everyone. |
2 |
|
3 |
TL;DR: if you're running your own repostiory, please 1) make sure that |
4 |
you don't include deprecated hashes in manifest-hashes, and 2) consider |
5 |
removing custom manifest-hashes and just going with the default. |
6 |
|
7 |
|
8 |
Many third-party Gentoo repositories right now include manifest-hashes |
9 |
declaration in their metadata/layout.conf. From a quick look, I think |
10 |
that at least some of them are copied from ::gentoo at a particular |
11 |
time, and eventually grew out of date. |
12 |
|
13 |
One hash of particular concern is WHIRLPOOL. As of OpenSSL-3, it is not |
14 |
provided by default by OpenSSL-3 and therefore Portage started falling |
15 |
back to the very slow Python implementation. And by "very slow", I |
16 |
actually mean atrociously slow -- it takes 6 seconds to hash a 1 MiB |
17 |
file here [1]. |
18 |
|
19 |
While there are measures in place to avoid this, it brings a more |
20 |
general problem of outdated hashes to my attention. Therefore, I'd like |
21 |
to ask repository owners to: |
22 |
|
23 |
1) Consider if they really need to redefine manifest-hashes. The key is |
24 |
not mandatory, and if the defaults work fine for you, please just remove |
25 |
it and let the PMs use the defaults. |
26 |
|
27 |
2) Check if their custom manifest-hashes aren't obsolete. At least MD5, |
28 |
SHA1, RMD160 and WHIRLPOOL hashes should be considered deprecated |
29 |
at this moment. I'd also recommend including at least one BLAKE2 |
30 |
(BLAKE2B, BLAKE2S) or SHA2 (SHA256, SHA512) variant for the best |
31 |
interoperability combined with security. |
32 |
|
33 |
3) Regenerate Manifests if they have changed manifest-hashes. |
34 |
|
35 |
TIA. |
36 |
|
37 |
|
38 |
[1] https://bugs.gentoo.org/885909 |
39 |
|
40 |
-- |
41 |
Best regards, |
42 |
Michał Górny |