From: "Hanno Böck" <hanno@gentoo.org>
To: Dirkjan Ochtman <djc@gentoo.org>
Cc: Gentoo Development <gentoo-dev@lists.gentoo.org>,
infra <infra@gentoo.org>,
dev-portage@gentoo.org, k_f@gentoo.org
Subject: Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them
Date: Mon, 3 Apr 2017 22:14:40 +0200 [thread overview]
Message-ID: <20170403221440.478f3880@pc1> (raw)
In-Reply-To: <CAKmKYaCuxHJ-SEaf7fs_iv3Gs4pPZymdmK7DrRSbFJJ=GAp29Q@mail.gmail.com>
Hi,
On Mon, 3 Apr 2017 22:00:15 +0200
Dirkjan Ochtman <djc@gentoo.org> wrote:
> First of all, SHA-256 should be safe for all intents and purposes, and
> for the foreseeable future. This is nothing like Git's usage of SHA-1,
> which was known to be on the way to brokenville for a long time. I
> don't think there is a solid reason for deprecating it now.
>
> Second, the amount of diversity proposed does not make sense. If
> asked, I would propose we keep SHA-256 as one of the options and
> additionally add a SHA3 variant and a BLAKE2 variant as other options.
> This would provide more than enough diversity. Also totally agreed
> with Vadim on the obscurity of the GOST algorithms.
>
> But, this is the kind of thing where we really should get input from
> the Security project, so we should get people like Hanno and Kristian
> involved.
As you specifically asked for my opinion:
I think there's no reason to doubt the security of any of the sha2
hashes (including sha256), any of sha3 or blake2 for the forseeable
future. (That means counting in many decades - there isn't even a shred
of evidence sha256 is going to be broken any time soon.)
There's no point in deprecating anything.
I find it unnecessary to introduce additional complexity here and
adding obscurity algorithms like gost sounds really bizarre and
unnecessary. I'd recommend against introducing anything that
requires unusual dependencies.
If anything I'd propose to just change to a single hash functio
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
next prev parent reply other threads:[~2017-04-03 20:15 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-03 17:09 [gentoo-dev] [RFC] New Manifest hashes and how to enable them Michał Górny
2017-04-03 17:25 ` Matthias Maier
2017-04-03 17:49 ` Vadim A. Misbakh-Soloviov
2017-04-03 18:14 ` Robin H. Johnson
2017-04-03 17:32 ` Vadim A. Misbakh-Soloviov
2017-04-03 18:28 ` Michał Górny
2017-04-03 18:01 ` David Seifert
2017-04-03 20:00 ` Dirkjan Ochtman
2017-04-03 20:14 ` Hanno Böck [this message]
2017-04-04 5:21 ` Ulrich Mueller
2017-04-04 8:34 ` Kristian Fiskerstrand
2017-04-04 11:18 ` Chí-Thanh Christopher Nguyễn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170403221440.478f3880@pc1 \
--to=hanno@gentoo.org \
--cc=dev-portage@gentoo.org \
--cc=djc@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
--cc=infra@gentoo.org \
--cc=k_f@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox