From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NcBuX-00064e-F1 for garchives@archives.gentoo.org; Tue, 02 Feb 2010 06:06:53 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 65576E0B3B; Tue, 2 Feb 2010 06:06:43 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id E0C80E0A9D for ; Tue, 2 Feb 2010 06:06:15 +0000 (UTC) Received: by wwc33 with SMTP id 33so240640wwc.40 for ; Mon, 01 Feb 2010 22:06:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type; bh=ThMOJYSC9RIA+8f68U1Ju2wa6xLHFFSdqZra8iYwJc8=; b=Z3HOJ9NJX2Bh8+zg+0ram9LRvVi19lt4L/c/HVuNIIGW8vCkvvs2g89l74n7l/39n2 WQUjpFdM7soXua4trKQ4Z2aHOGLCJbyZ2kPgRoFaxzCFYXNBlEbrfXNUIvHhKa4UMMYH HnFl21lYKfZhlnPRAQnjR+70LCVCeJuTcOOQU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=u0A0vncZKnTtBk6nRjj/zutYposYzkrWFzCTuqEr6zAJyXY0AmTBzdvWTuQ/ZAaDiv qb5WefXqHTuIkrjBs9+NYemAaJ+6oUxxsVhOge+Z1HiF3GhB8XSjpL7gcxOnhwf7Hjp5 iRMsVmyRxCx/iTigBH3E/UHQ2dKw3i5HLx5yA= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Sender: denis.dupeyron@gmail.com Received: by 10.216.86.3 with SMTP id v3mr2734720wee.165.1265090775364; Mon, 01 Feb 2010 22:06:15 -0800 (PST) In-Reply-To: References: Date: Mon, 1 Feb 2010 23:06:15 -0700 X-Google-Sender-Auth: 9666ace06249dc58 Message-ID: <7c612fc61002012206n59c89f90rd3a0e780321a4c59@mail.gmail.com> Subject: Re: [gentoo-dev] GLEP59 - Manifest2 hashes From: Denis Dupeyron To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: 35cfefd5-8c6e-4c56-8b66-9fbd98b9225a X-Archives-Hash: 560a324af0eb919336e38c3d108b2a7e On Mon, Feb 1, 2010 at 1:23 AM, Doug Goldstein wrote: > However, great work on this GLEP, you've put forth some good solid > research into it. Agreed. I would suggest to use this series of GLEPs as examples of what to do for future GLEP writers. > I do hope that we don't intend on settling on SHA512 as the end all > solution as well. We should retain a method for bumping the hashing > algorithm used when the SHA-3 family becomes available. >From the way I understand it the GLEP implies that we can add hashes at will. But that's a good point, and a one-liner somewhere making it explicit would be useful. Thus, in "What should be done" I would I would for example replace "We should be prepared to add stronger checksums wherever possible, and to remove those that have been defeated." with: "Stronger checksums shall be added as soon as an implementation is available in Portage. Weak checksums may be removed as long as the depreciation process is followed (see below)." And then, in "Checksum depreciation timing" I would prefer that the description of what needs to be done in the present situation was used as an example after a more general rule is stated. Something like: "At least one older algorithm must remain until the new one(s) has (have) been in stable Portage for minimum one year." The one year period is debatable, what matters is we have well defined rules in order to avoid future flamewars. Denis.