Hi Ulrich, On Tue, Apr 5, 2022 at 4:10 PM Ulrich Mueller <u...@gentoo.org> wrote: > The OpenPGP signature is for the top-level Manifest only. In case there > was any trouble, it would be trivial to change the hash algorithm used > for this. > > In constrast to that, updating the hashes in all Manifest files is a > huge pain in the neck. Basically, you must download all distfiles, which > is not trivial. For example, think of fetch-restricted files. (I've > helped twice with updating Manifest files, so I believe I know what I'm > talking about. :)
The thing is, if SHA-512 is broken, that will really be the least of our concerns. TLS itself will be broken.... Jason