From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DAB20138350 for ; Wed, 8 Apr 2020 16:13:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 12014E0B17; Wed, 8 Apr 2020 16:13:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 77E07E0B17 for ; Wed, 8 Apr 2020 16:13:41 +0000 (UTC) Received: from professor-x (d108-172-193-125.bchsia.telus.net [108.172.193.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: dolsen) by smtp.gentoo.org (Postfix) with ESMTPSA id 815FB34EFE0 for ; Wed, 8 Apr 2020 16:13:40 +0000 (UTC) Date: Wed, 8 Apr 2020 09:13:30 -0700 From: Brian Dolbec To: gentoo-catalyst@lists.gentoo.org Subject: Re: [gentoo-catalyst] [PATCH 1/5] targets: Drop SHA512 isoroot verification support Message-ID: <20200408091330.73b6ebf1@professor-x> In-Reply-To: <20200408032753.105267-1-mattst88@gentoo.org> References: <20200408032753.105267-1-mattst88@gentoo.org> X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-catalyst@lists.gentoo.org Reply-to: gentoo-catalyst@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: c4baf2b6-6a12-49f1-b41e-61cad6156bd7 X-Archives-Hash: ab4029d1694aeaed9e8e34053c8ae68b On Tue, 7 Apr 2020 20:27:49 -0700 Matt Turner wrote: > BLAKE2 is good and fast. Pentoo is using BLAKE2. There's no need for a > second digest. > > Signed-off-by: Matt Turner > --- > examples/livecd-stage2_template.spec | 8 ++++---- > targets/support/create-iso.sh | 27 +++++++-------------------- > 2 files changed, 11 insertions(+), 24 deletions(-) > > diff --git a/examples/livecd-stage2_template.spec > b/examples/livecd-stage2_template.spec index 7398c972..4cb94d40 100644 > --- a/examples/livecd-stage2_template.spec > +++ b/examples/livecd-stage2_template.spec > @@ -316,11 +316,11 @@ boot/kernel/gentoo/packages: > # boot/kernel/gentoo/console: tty0 ttyS0 > boot/kernel/gentoo/console: > > -# This feature will make sha512, blake2, or both checksums for every > file in the iso (including files provided by livecd/overlay -# These > checksums can be verified at boot using the genkernel option "verify" > added to the kernel line. -# Currently this feature will generate > both checksums if livecd/verify is defined to *any* value other than > "blake2" or "sha512" +# Enables the generation of a isoroot_b2sums > file containing a BLAKE2 digest of +# each file in the ISO. When > 'livecd/bootargs' contains 'verify' this feature +# will be used to > verify the contents of the ISO at boot time. # No checksums are > generated if this is left commented. -#livecd/verify: sha512 > +#livecd/verify: blake2 # This feature controls the depclean run > after fsscript and before unmerge. # The default is unset, and will > run emerge --depclean --with-bdeps=n which results diff --git > a/targets/support/create-iso.sh b/targets/support/create-iso.sh index > 9b10b7cf..b0e4d15e 100755 --- a/targets/support/create-iso.sh > +++ b/targets/support/create-iso.sh > @@ -94,30 +94,17 @@ else > mkisofs_zisofs_opts="" > fi > > -#we want to create a checksum for every file on the iso so we can > verify it -#from genkernel during boot. Here we make a function to > create the sha512sums, and blake2sums +# Generate list of checksums > that genkernel can use to verify the contents of +# the ISO > isoroot_checksum() { > - echo "Creating checksums for all files included in the iso, > please wait..." > - if [ -z "${1}" ] || [ "${1}" = "sha512" ]; then > - find "${clst_target_path}" -type f ! -name > 'isoroot_checksums' ! -name 'isolinux.bin' ! -name 'isoroot_b2sums' > -exec sha512sum {} + > "${clst_target_path}"/isoroot_checksums > - ${clst_sed} -i "s#${clst_target_path}/\?##" > "${clst_target_path}"/isoroot_checksums > - fi > - if [ -z "${1}" ] || [ "${1}" = "blake2" ]; then > - find "${clst_target_path}" -type f ! -name > 'isoroot_checksums' ! -name 'isolinux.bin' ! -name 'isoroot_b2sums' > -exec b2sum {} + > "${clst_target_path}"/isoroot_b2sums > - ${clst_sed} -i "s#${clst_target_path}/\?##" > "${clst_target_path}"/isoroot_b2sums > - fi > + echo ">> Creating checksums for all files included in the > ISO" > + find "${clst_target_path}" -type f ! -name 'isoroot_b2sums' > -exec b2sum {} + > "${clst_target_path}"/isoroot_b2sums > + ${clst_sed} -i "s#${clst_target_path}/\?##" > "${clst_target_path}"/isoroot_b2sums } > > run_mkisofs() { > - if [ -n "${clst_livecd_verify}" ]; then > - if [ "${clst_livecd_verify}" = "sha512" ]; then > - isoroot_checksum sha512 > - elif [ "${clst_livecd_verify}" = "blake2" ]; then > - isoroot_checksum blake2 > - else > - isoroot_checksum > - fi > - fi > + [ -n "${clst_livecd_verify}" ] && isoroot_checksum > + > echo "Running \"mkisofs ${@}\"" > mkisofs "${@}" || die "Cannot make ISO image" > } I know I've been out of touch for almost the last year, but why remove sha512? the current code it is optional for either of the two or both. What is gentoo now supplying primarily? If any change is to be made, I think it should be made as a plugin so the base code doesn't need to be changed as things change to the checksum of the day...