From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DFE34139694 for ; Tue, 4 Apr 2017 11:19:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 463B0E0CF3; Tue, 4 Apr 2017 11:19:47 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F1BBAE0CD7 for ; Tue, 4 Apr 2017 11:19:46 +0000 (UTC) Received: from [141.23.219.223] (wlan-141-23-219-223.tubit.tu-berlin.de [141.23.219.223]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: chithanh) by smtp.gentoo.org (Postfix) with ESMTPSA id ACCA233BEAE for ; Tue, 4 Apr 2017 11:19:45 +0000 (UTC) Subject: Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them To: gentoo-dev@lists.gentoo.org References: <1491239350.1978.1.camel@gentoo.org> From: =?UTF-8?Q?Ch=c3=ad-Thanh_Christopher_Nguy=e1=bb=85n?= Message-ID: <4574a5b3-86be-eb55-47b8-b39da521c0a3@gentoo.org> Date: Tue, 4 Apr 2017 13:18:10 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <1491239350.1978.1.camel@gentoo.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Archives-Salt: ac468fac-c1ea-4315-9dd8-799900116c12 X-Archives-Hash: 3c1bd48ff456767bd16e84d5ba61cbd3 Michał Górny schrieb: > I think the first reasonable change would be to deprecate SHA256. It is > pretty much the same algorithm as SHA512, except for different > parameters. It is weaker than SHA512, and SHA512 is supported on all > existing platforms anyway. I think there is nothing wrong or insecure with continuing to use SHA256, even though it is technically weaker than SHA512. If it is already included in all Manifests then keeping it as standard is preferable I think. Some people consider having a second dissimilar algorithm at hand a good idea. I suggest SHA3 in that case. manifest-hashes = SHA256 SHA3-256 Best regards, Chí-Thanh Christopher Nguyễn