1 |
Hi, everyone. |
2 |
|
3 |
The previous discussion on Manifest2 hashes pretty much died away |
4 |
pending fixes to Portage. Since Portage was fixed a while ago, and we |
5 |
can now safely switch, I'd like to reboot the discussion before |
6 |
submitting the item for the next Council meeting. |
7 |
|
8 |
Considering all arguments made so far, I'd like to propose changing: |
9 |
|
10 |
manifest-hashes = SHA256 SHA512 WHIRLPOOL |
11 |
|
12 |
to: |
13 |
|
14 |
manifest-hashes = SHA512 SHA3_512 |
15 |
|
16 |
In other words, removing SHA256 and WHIRLPOOL, and adding SHA3_512. |
17 |
|
18 |
|
19 |
Rationale |
20 |
--------- |
21 |
|
22 |
1. The main argument for using multiple hashes is to prevent the (very |
23 |
unlikely) possibility that if a weakness is discovered in one of |
24 |
the hashes, the other would still hold. This is given by using two |
25 |
algorithms; more than two do not increase security significantly, while |
26 |
they do increase performance cost. |
27 |
|
28 |
2. For the above to hold, the hashes should be diverse. SHA256 |
29 |
and SHA512 are the same algorithm, so a weakness discovered in either |
30 |
would probably apply to both -- keeping both does not make sense at all. |
31 |
Furthermore, both SHA2 and WHIRLPOOL use the same construct (MD), so |
32 |
a weakness in the construct would apply to both. |
33 |
|
34 |
3. Keeping one of the three old hashes is necessary for compatibility |
35 |
reasons. Furthermore, the current versions of Portage consider SHA512 |
36 |
obligatory, so we can't remove it without redesigning Portage first |
37 |
(though I think this applies only to developer installs, i.e. those |
38 |
creating Manifests). |
39 |
|
40 |
4. The new hashes that are stronger and commonly available are |
41 |
SHA3/Keccak (using sponges) and BLAKE2 (HAIFA). Both are diverse from |
42 |
our current algorithms, so either is a good candidate. The choice of |
43 |
Keccak is purely arbitrary (because it's the winner?). |
44 |
|
45 |
All the above considered, I think it's most reasonable to use two hashes |
46 |
with diverse constructs. SHA512 needs to be one of them, for |
47 |
compatibility reasons. The other could be either SHA3_512 or BLAKE2B, |
48 |
as a strong, future-proof hash. SHA3 is probably a better choice because |
49 |
it's going to have more support as the official recommendation. |
50 |
|
51 |
-- |
52 |
Best regards, |
53 |
Michał Górny |