Hi Sam, On Wed, Apr 6, 2022 at 2:02 AM Sam James <s...@gentoo.org> wrote: > This matches my views and recollection. We could revisit it > if there was a passionate advocate (which it looks like there may well be). > > While I wasn't against it before, I was sort of ambivalent given > we had no strong reason to, but I'm more willing now given > we're also cleaning out other Portage cruft at the same time.
I think actually the argument I'm making this time might be subtly different from the motions that folks went through last year. Specifically, the idea last year was to switch to using BLAKE2b only. I think what the arguments I'm making now point to is switching to SHA2-512 only. There are two reasons for this. 1) Security: since the GPG signatures use SHA2-512, then the whole system breaks if SHA2-512 breaks. If we choose BLAKE2b as our only hash, then if either SHA2-512 or BLAKE2b break, then the system breaks. But if we choose SHA2-512 as our only hash, then we only need to worry about SHA2-512 breaking. 2) Comparability: other distros use SHA2-512, as well as various upstreams, which means we can compare our hashes to theirs easily. A reason why some people might prefer BLAKE2b over SHA2-512 is a performance improvement. However, seeing as right now we're opening the file, reading it, computing BLAKE2b, closing the file, opening the file again, reading it again, computing SHA2-512, closing the file, I don't think performance is actually something people care about. Seen differently, removing either one of them will already give us a performance "boost" or sorts. Jason
