From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6E1D71396D9 for ; Wed, 25 Oct 2017 12:32:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0A2D22BC03E; Wed, 25 Oct 2017 12:32:14 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A616E2BC013 for ; Wed, 25 Oct 2017 12:32:13 +0000 (UTC) Received: from pc1 (unknown [IPv6:2001:2012:127:3e00:b3bf:56a1:a140:6086]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: hanno) by smtp.gentoo.org (Postfix) with ESMTPSA id D362C33BF24 for ; Wed, 25 Oct 2017 12:32:11 +0000 (UTC) Date: Wed, 25 Oct 2017 14:32:04 +0200 From: Hanno =?UTF-8?B?QsO2Y2s=?= To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Manifest2 hashes, take n+1-th: one hash to decide them all Message-ID: <20171025143204.0ebe00b4@pc1> In-Reply-To: References: <1508440120.19870.14.camel@gentoo.org> <26AE424C-19DF-4059-A7DE-8ED6D605FF2C@gentoo.org> <1508817879.1688.6.camel@gentoo.org> <1508818272.1688.7.camel@gentoo.org> <73ce6032-2c65-676c-cf5c-233810555df5@gentoo.org> <1508851547.25623.0.camel@gentoo.org> <64bba51d-5ba1-c1cc-44e7-68df468669e7@allanwegan.de> X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/opA4D=UKOiw65Q3slOyGrsQ"; protocol="application/pgp-signature" X-Archives-Salt: 24deee68-c7c0-49d5-8366-b6e51efa378c X-Archives-Hash: 16355327e523049b8f20dbd504a01db9 --Sig_/opA4D=UKOiw65Q3slOyGrsQ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, On Wed, 25 Oct 2017 02:40:58 +0000 "Robin H. Johnson" wrote: > At that point, and this is a serious proposal: > The package manager shall decide which hashes to check, but is > required to check at least one hash. The choice may be 'fastest', > 'most secure', or any local factor. Sorry to contribute again to the bikeshedding, but I'd really like to get one thought across here: Good security includes reducing complexity. Tough (as evident by this thread) it's a thought many people find hard to accept. I don't think this is most important in this discussion, but I feel it's something people should keep in mind also for other decisions to be made. This thread is going into a completely different direction and I find that worriesome. We have two non-problems ("what if secure hash X gets broken?" and "what if it's too slow? I haven't benchmarked, but what if it's too slow??") and people proposing increasingly complex solutions. If you do what you propose my worries aren't that any hash gets broken or that it's too slow. It's that some bug will chime in where in some situation no hash gets checked whatsoever. Having more than one hash is already unneeded complexity. Nobody does that. TLS signatures use one hash. GPG signatures uses one hash. Signal uses one hash. I'm not aware of any credible cryptographic product that feels the need to have multiple hashes concatenated. (The only real example I'm aware of is old TLS versions who chose to concat two insecure hashes - MD5+sha1 - which obviously wasn't the smartest idea either, but one can credibly say they didn't know better back then.) Having a situation where one can either check one hash or multiple and add configurability around that is another step of adding unneeded complexity. Also one more comment about the issue with potentially buggy Hash implementations: I feel this is a software testing problem rather than anything that should influence our package manager format or be tested at runtime. Add a self-test of hash functions with a large batch of test vectors that you can easily run. --=20 Hanno B=C3=B6ck https://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 --Sig_/opA4D=UKOiw65Q3slOyGrsQ Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/nN1f6YOTiG5N1efpYgAcru1HkIFAlnwhEQACgkQpYgAcru1 HkIYVhAApSQI03FQKyYdiAnDy0NC8JotZzSQbTQTYbarKHIcpRv7kLnRm1vXje/S yeav7AQL634l34Yaz/etsOUIiqDb/ygib+LvyLX2l/20kcINHrad95f/4TMOKNiZ l4/22CXFA0GgnSLXmb+aXiP9n6GWvCAz/lX+tK7ntUwV+HrKKaFvlGx3jci+V7zT XiLFMnnvtLTqBFy6W2qSue5aSs0WOJZeHvsMc2UKrEUyZh+7hzfSHmCumFJ4PQaC MXH3Oo5QcvOdntNUOoBADIP849NHCYum41qtTUahTw8dNhf1Z+wymdeW9tEJo1YX hUuyq4GinjMEOgMuoe2U8I4oRdq0eWCvr47eRyuq/CyMQ06q5sZXBnOglcv6ylY6 3lfKNeWkwWQXDhZrgW1BQQymxCbqPRi/Gc7O0+C0u2B70swv/KZnHNY3vBsC68dZ DWq4NaLeuaSeQcC/IjTdEAz6dhza68Gfgmj8EyF/XbAyVHmRCgne9T0WCqGJ8139 BLbIUpHhcFmC/3In+TvPb02q7wme3Ztz2UtNULbE3HOeDpu9W98sjxTk2FtsvKsc Ns3qGXFFu79+LeR0J0zd+wV8FjXSjFCiWOaW5CKad5rgiySQM00Q+D0J0PyC83Lx yE71uzOj0DuK0WHUGGZkUnIS5ZBm1SAGyLNfc8vg8Y1g9SMKrwE= =WjWy -----END PGP SIGNATURE----- --Sig_/opA4D=UKOiw65Q3slOyGrsQ--