From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2F27B1396D9 for ; Sat, 21 Oct 2017 16:26:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0600E2BC01A; Sat, 21 Oct 2017 16:26:09 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AEB722BC00B for ; Sat, 21 Oct 2017 16:26:08 +0000 (UTC) Received: from grubbs.orbis-terrarum.net (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7AF0633BEB4 for ; Sat, 21 Oct 2017 16:26:07 +0000 (UTC) Received: (qmail 5849 invoked by uid 10000); 21 Oct 2017 16:26:05 -0000 Date: Sat, 21 Oct 2017 16:26:05 +0000 From: "Robin H. Johnson" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Manifest2 hashes, take n+1-th Message-ID: References: <1508440120.19870.14.camel@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="5LiOUhUlsRX0HDkW" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.2 (2017-04-18) X-Archives-Salt: 1294f715-54c7-45ed-9ee9-a861c204cd86 X-Archives-Hash: 9550aca9d10d1291dd7c317a198e5454 --5LiOUhUlsRX0HDkW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 20, 2017 at 05:21:47PM -0500, R0b0t1 wrote: > I would like to present my suggestions: >=20 > SHA512, (RIPEMD160 | WHIRLPOOL | BLAKE2B), (SHA3_512 | BLAKE2B); >=20 > or more definitively: >=20 > SHA512, RIPEMD160, BLAKE2B. Please do NOT reintroduce RIPEMD160. It was one of the older Portage hashes prior to implementation of GLEP059, and was removed because it was shown to fall to parts of the same attacks at MD4/MD5 by Wang's paper in 2004. Wang, X. et al. (2004). "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint Archive, Report 2004/199, first version (August 16, 2004), second version (August 17, 2004). Available online from: http://eprint.iacr.org/2004/199.pdf --=20 Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer E-Mail : robbat2@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 --5LiOUhUlsRX0HDkW Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it. iQKTBAEBCgB9FiEEveu2pS8Vb98xaNkRGTlfI8WIJsQFAlnrdRhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJE RUJCNkE1MkYxNTZGREYzMTY4RDkxMTE5Mzk1RjIzQzU4ODI2QzQACgkQGTlfI8WI JsTHoQ/+Lw6j+yTxGPs6c1z5U5r2woe6YbgPstBSO1hsiHklPatZ+0Z5P6qOfNbl 0jXwQMKGPNsGyCerFZ8XcL08I2xbCeiRVbgWGM52vNuqZRGJecIAPW0TZlf10M2p 2djYdK+bnsG6mwJfPmfT65+PEo97f9UVe8z7lEGRTz1aem/sXkDcvl7MflJiYpVF 9nynJ6HqoSIjhhi8G6l4GSBmZ/69Rt0+t5RA6rJdCkoAlSIglbw274kRE+z3L6Kc PPfEmDgEri3gTnAO1Yc7JY7mGu5gGZNJhUqvyULkxPN+PClzjgKmjhq3pfaGlhgx Nw/4CCDOrz63Gd8+7ZgnYtSCecLsXmISYCBVtwFQOBdA2cmM38KtrNawQBycUIiZ vVMxKbCiG4dWnsQLfFuwpjdVt7mz1uwXBzCz+i6xrywINco/bJNnAdG63BR3DzI8 LbZnjSZSiNpqvV97CG7F+vkXxFhQs0uPF1q9FP8ljXrh1Y5W54LhXTASFLo+4xYt JvsAMGnb0b357aiecLoUHCOaZynX9slhjCNXXCu9Tg7TuxkWdlubsqi36l00IYqR wYaz4E6ywzr+VVMEMB8tPhgI/+FkZZxrN8UNVM1502f4SJP/m6hubhOylE9MgWVP LxKWUJVifmXuyhrI22gcDaTe0a+Gq8mzvKC7bR/NBAEsh+mPzC0= =QmTR -----END PGP SIGNATURE----- --5LiOUhUlsRX0HDkW--