| 1 |
Hello, everyone. |
| 2 |
|
| 3 |
TL;DR: if you're running your own repostiory, please 1) make sure that |
| 4 |
you don't include deprecated hashes in manifest-hashes, and 2) consider |
| 5 |
removing custom manifest-hashes and just going with the default. |
| 6 |
|
| 7 |
|
| 8 |
Many third-party Gentoo repositories right now include manifest-hashes |
| 9 |
declaration in their metadata/layout.conf. From a quick look, I think |
| 10 |
that at least some of them are copied from ::gentoo at a particular |
| 11 |
time, and eventually grew out of date. |
| 12 |
|
| 13 |
One hash of particular concern is WHIRLPOOL. As of OpenSSL-3, it is not |
| 14 |
provided by default by OpenSSL-3 and therefore Portage started falling |
| 15 |
back to the very slow Python implementation. And by "very slow", I |
| 16 |
actually mean atrociously slow -- it takes 6 seconds to hash a 1 MiB |
| 17 |
file here [1]. |
| 18 |
|
| 19 |
While there are measures in place to avoid this, it brings a more |
| 20 |
general problem of outdated hashes to my attention. Therefore, I'd like |
| 21 |
to ask repository owners to: |
| 22 |
|
| 23 |
1) Consider if they really need to redefine manifest-hashes. The key is |
| 24 |
not mandatory, and if the defaults work fine for you, please just remove |
| 25 |
it and let the PMs use the defaults. |
| 26 |
|
| 27 |
2) Check if their custom manifest-hashes aren't obsolete. At least MD5, |
| 28 |
SHA1, RMD160 and WHIRLPOOL hashes should be considered deprecated |
| 29 |
at this moment. I'd also recommend including at least one BLAKE2 |
| 30 |
(BLAKE2B, BLAKE2S) or SHA2 (SHA256, SHA512) variant for the best |
| 31 |
interoperability combined with security. |
| 32 |
|
| 33 |
3) Regenerate Manifests if they have changed manifest-hashes. |
| 34 |
|
| 35 |
TIA. |
| 36 |
|
| 37 |
|
| 38 |
[1] https://bugs.gentoo.org/885909 |
| 39 |
|
| 40 |
-- |
| 41 |
Best regards, |
| 42 |
Michał Górny |
Archives