From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 56A821396D9 for ; Sat, 21 Oct 2017 01:23:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 35D6A2BC062; Sat, 21 Oct 2017 01:23:18 +0000 (UTC) Received: from mail-yw0-x241.google.com (mail-yw0-x241.google.com [IPv6:2607:f8b0:4002:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D5C142BC031 for ; Sat, 21 Oct 2017 01:23:17 +0000 (UTC) Received: by mail-yw0-x241.google.com with SMTP id w2so7843788ywa.9 for ; Fri, 20 Oct 2017 18:23:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=x8jSZvtYbaEURl1+rdJPAM6iW5bm/+8D5T71ra5f3ak=; b=i1aQjtY9GzR2nlMOmabU6dJ1w2+MkCQ8k9HWzrDvuzhWGnEcFalZYTECN+avNCpR2Z COoKpulxxLnM8byYM1SfCnysVh82GcZJw2qW0JUfjbmnX+64+EPjau7fR5lQBEWawDve 7TnS9hItOoTL84OE8/KkA94aMvBWLtodPubAi41REitV6pBGvO2azLpxpk1D6xbCvclq 2Za58PQfZnf1QTONHR9pEcC+JwCiu8rBB6ss4yEf3WQSg/ryLFA8fUAtUD5aYeZvM4s/ 8Sx+GbJ0jzozvhVZHU+q9eSy8bE08T10rto9rjxbq0EDoG+95wlww+ivYDHWSYr/UrwH djiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=x8jSZvtYbaEURl1+rdJPAM6iW5bm/+8D5T71ra5f3ak=; b=nep0/LP43FOKbBa4gY0xrFpGnEmKWa6blESPwr71PZphvqAu5H4H8VHNxcgW4Ss/Cj tu/xzDmYG8xyJnyCqr+NiIkiJI57QelWM4vRqtG+QVOHzgbgpKnYpa10OMa9q0TZwD3E hgdF2Yvm16LJgALvOv3OtDxaQsu6Y+bvKu7dkOBCEn1GVwVbH+Ta0vZf5SxcVTswkd28 UHFIF4E6yWXntSNpBjDLBvcHxoif8rqNoNmCrwf1BntHI768HTDnO+M3NNPhxTZLn9O2 6ZJAzUDmU9T2tcHnhnpydaccxUPXrwhKqffpPDDiqLkXWyrFU4bGsDEZO3/H4QlVAX/Z DhhQ== X-Gm-Message-State: AMCzsaVnHJSXkG55wlFjAwlzO5YgrLXhGMJYxMrSET0OFinIivs4Tu32 H7yudABkBIlFcVxFDJ32NSCl61OZO9xveT8t6TU= X-Google-Smtp-Source: ABhQp+SX61vztWnFCLmo6mY0zCiON/TUTnzAFOOe+JA4135UmGEgQ6liIaU8nsp4oDuSBBCXI0TAvC1yPcjX1xKegb8= X-Received: by 10.37.59.21 with SMTP id i21mr4167829yba.489.1508548996846; Fri, 20 Oct 2017 18:23:16 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.129.153.84 with HTTP; Fri, 20 Oct 2017 18:23:16 -0700 (PDT) In-Reply-To: <493bb327-9729-1698-ac07-d74a8ee3a14b@gentoo.org> References: <1508440120.19870.14.camel@gentoo.org> <20171020003258.7ad4695b@pc1> <493bb327-9729-1698-ac07-d74a8ee3a14b@gentoo.org> From: R0b0t1 Date: Fri, 20 Oct 2017 20:23:16 -0500 Message-ID: Subject: Re: [gentoo-dev] Manifest2 hashes, take n+1-th To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: e25356f4-1477-436e-a55a-f53c82ddc4e8 X-Archives-Hash: 9018a4884db6ffc4ace9c45b0515063e On Fri, Oct 20, 2017 at 8:04 AM, Kristian Fiskerstrand wrote: > On 10/20/2017 11:10 AM, Dirkjan Ochtman wrote: >> >> I support Hanno's suggestion of doing just SHA512, but would be >> interested in hearing opinions from others who have apparent >> security/crypto experience. Maybe the Security project can weigh the >> suggestions as well? >> > > The whole discussion is moot so long as we don't have OpenPGP signed > gentoo repository in rsync. > > SHA2-512 is generally quicker than sha256 on 64 bit architectures, but > considerably slower for some architectures. Introducing a non-optimized > keccak on top of it will have a significant negative performance impact > for these arches without much security gain. > > if we still want two separate hashes, the choice of sha2 and sha3 > compination is a good one given they are based on separate constructs. > > But IMHO we should start where things matter and complete an > implementation for OpenPGP signatures of MetaManifests in Portage. > This is why I use webrsync-gpg. Git commits are supposed to be GPG-signed, so that may be suitable for your purposes. Cheers, R0b0t1.