From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 740CD1396D9 for ; Tue, 21 Nov 2017 03:15:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DDA0DE0E97; Tue, 21 Nov 2017 03:15:27 +0000 (UTC) Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7F12DE0E81 for ; Tue, 21 Nov 2017 03:15:27 +0000 (UTC) Received: by mail-yw0-x233.google.com with SMTP id z125so3722387ywb.0 for ; Mon, 20 Nov 2017 19:15:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=e/3Ky6Eic256dG+h+KvCgbo0INOvoOC6fe2twimeipc=; b=VYGZ7Cj4BSv8ulRtnwlaMCxluyLZwrj1NgJLTpV285Wdsmr5/gevvdp5cFWcgob3yU TuYbUpJoFPuu9Ba5QWdxBhrmezJe18p7eiFjkDCjzgFgT1Na5Rjib9ifz4ycJoBaEqBc TO8y5HsSNjgc8fOiG87st7smKj3yACcPwYfaVwW4E3CihMfZW4SXiF7a61zUx+3CkxRN kxQ6XvInrQGxZC2EgHJIUlNNlwIyeCvlo9LaQuhzo4iktjAn9y3l9ymydssW5QB+cnyl emsHtwd2IA6E0seRXIu0P8+EFFGYVOPd/TfJlGUrooNiOTZzpvT9YlCRRJbIN0WixIB5 1Uaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=e/3Ky6Eic256dG+h+KvCgbo0INOvoOC6fe2twimeipc=; b=ZK8YvutR+Q5S9aXtJVAPtDzNiYcF/upSneU4RKHHhme+sfX1kQio7CaaOSEhI8ywme QkVASqbW7FO4qoy/Ik06rnNJluHIYkwNg2GnQNwsjEKL5cW3QCm7qs7n4XQ5ZO+4wQgp HtaKrYbESC4PW+FpPQoCpphdbsZ0R9MogVlxeEprAAxKhORivJ4aVx/X/iZbtT9rcNjY 2fEm064er37zFfFyYI4c8QEN2RCMqSlOqU//MKdLP6Bdcjyge5R1EMwaWUonYzwy7uoj K3/P0aaAeTAe1idkXrsH5j6pwJRPzGHs/f0pGzjbicYKiEi55WxNrP0hjaVV/zXqTzcS UIOw== X-Gm-Message-State: AJaThX68TUi5y7UG/5sTo5a/mtY++cNf2kDBWbaYYwnZ1uI5t3rPomfT kJfggo8pIbFOPrdh22iyxuY4SGk2+ndrYlsN2dU= X-Google-Smtp-Source: AGs4zMYujZARp/mY693kbUd+yOAMwRSlmZ8C0BNXjraHfRj50q9ZGL0iYphaZ5g0Dm219iXCPD/KdzNZcsFS6DaRcNk= X-Received: by 10.129.166.9 with SMTP id d9mr10107431ywh.108.1511234126136; Mon, 20 Nov 2017 19:15:26 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.13.246.132 with HTTP; Mon, 20 Nov 2017 19:15:25 -0800 (PST) In-Reply-To: References: From: R0b0t1 Date: Mon, 20 Nov 2017 21:15:25 -0600 Message-ID: Subject: Re: [gentoo-dev] Manifest2 hashes: validation of single hash per MANIFESTx_REQUIRED_HASH To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: d5f72623-5710-494c-abed-4299390880ab X-Archives-Hash: 1b3d8d49b0395daf5b44c48ca8d44181 On Mon, Nov 20, 2017 at 9:00 PM, R0b0t1 wrote: > Hello friends! > > On Wed, Nov 15, 2017 at 3:02 PM, Robin H. Johnson wrote: >> Replying to your original question here, to repeat the answer I emphasised >> before, along with significantly more detail in the history of Portage hashes >> (pulled from my notes back to GLEP57 and some minor updates). >> >> On Wed, Nov 08, 2017 at 12:57:49PM -0600, R0b0t1 wrote: >>> These posts are concerning because it looks like someone became stir >>> crazy and invented a problem to solve. The changes proposed to date >>> have remained poorly justified, and no one has addressed the concern >>> that multiple hashes *is* actually more secure. >>> >>> If it was deemed necessary at one point, what justification was used? >>> I.e. https://en.wikipedia.org/wiki/Wikipedia:Chesterton's_fence. >> On Wed, Nov 15, 2017 at 11:47:41AM -0600, R0b0t1 wrote: >>> Does the existence of a decision mean I would need to contact the trustees >>> if I feel the changes have not been adequately justified? >> >> In GLEP59, I referenced a paper by Joux [J04], in which it was shown that a >> concatenation of multiple hashes is NOT much more secure against collisions >> than the strongest of the individual hashes. >> >> That was cited as original logic in GLEP59 for the removal of SHA256 (that >> removal was never implemented). WHIRLPOOL & SHA512 were kept out of an >> abundance of caution at the time, mostly to implementation bugs in hashes (as I >> have referenced in the related threads since). >> >> Your logic regarding removing something you think I don't understand is wrong >> (Chesterton's Fence): >> >> If you dig in the history of Portage, you will see that it's always been valid, >> to have just a SINGLE hash for each file in a Manifest. Required hashes has >> NEVER contained more than one hash. >> >> If multiple hashes are present, then Portage will validate all of them, but a >> potential attacker can still modify the Manifest and have only a single hash >> listed. Exactly which hash MUST be present has changed over time. >> >> Manifest1 is very old, and was stored in $CAT/$PN/files/digest-$P >> Manifest2 is the current $CAT/$PN/Manifest (and soon in more locations per MetaManifest). >> >> 1999/xx/xx: Portage starts with Manifest1 format, MD5-only (CVS) >> 2004/08/25: Portage gets SHA1 support in Manifest1, but is problematic, SHA1 generation manual only. >> https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-src/portage/pym/portage_checksum.py?revision=1.1&view=markup >> https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-src/portage/pym/portage.py?r1=1.485&r2=1.486 >> 2005/12/19: Portage Manifest1 supports MD5,SHA1,SHA256,RMD160, but still requires only a single hash present. Generates MD5+SHA256+RMD160. >> https://gitweb.gentoo.org/proj/portage.git/commit/?id=cd3e3775966a9f58aebb91f58cbdb5903faad3de >> 2006/03/24: Manifest2 introduced. >> https://gitweb.gentoo.org/proj/portage.git/commit/?id=f993747ca501e8a70d6f6174711149a172cfc3c2 >> 2007/01/20: MANIFEST2_REQUIRED_HASH introduced, SHA1, it must be present & pass >> https://gitweb.gentoo.org/proj/portage.git/commit/?id=e768571187d1655fbb558c23d61fa2983e48e411 >> 2007/12/18: MANIFEST1_REQUIRED_HASH introduced, MD5, it must be present & pass >> https://gitweb.gentoo.org/proj/portage.git/commit/?id=d9b10deaa03ce174d5ccc3b59c477549ad87e884 >> 2008/02/28: Manifest1 support dropped. >> https://gitweb.gentoo.org/proj/portage.git/commit/?id=66940e1f2f0549ee8f01dad59016e168105e193d >> 2011/10/02: GLEP59 implemented, MANIFEST2_REQUIRED_HASH changes to SHA256 >> https://gitweb.gentoo.org/proj/portage.git/commit/?id=c8cd3a985cc529299411d7343a11004b7d1330ef >> 2017/06/15: MANIFEST2_REQUIRED_HASH changes to SHA512 >> https://gitweb.gentoo.org/proj/portage.git/commit/?id=e6abcc0b7cbdca481862a5c7cca946c01c471ffb >> >> [J04] Joux, Antoie. (2004). "Multicollisions in Iterated Hash Functions - Application to Cascaded Constructions;" >> Proceedings of CRYPTO 2004, Franklin, M. (Ed); Lecture Notes in Computer Science 3152, pp. 306-316. >> Available online from: http://web.cecs.pdx.edu/~teshrim/spring06/papers/general-attacks/multi-joux.pdf >> > > This is the information I was looking for, thank you. I feel that the > matter has been adequately explained. I apologize for missing your > response. > > The paper gives a counter intuitive result, so I suspect I will have > to spend more time with it. > I appreciate the thought that robbat2 gave to his response, but I would like to clarify that it is beyond and above what I expected. What I wanted to avoid was something I encountered on the GCC mailing list: When I asked why GCJ was removed, I was told that it was hard to maintain. When I asked for an example of past maintenance issues (and made it clear I had no interest in disputing whether the issues were valid or not) I received no reply from the maintainer except his original answer, leaving me to wonder whether GCJ was actually hard to maintain. I have seen similar exchanges associated with other projects. Cheers, R0b0t1