Hi Rich, On 4/6/22, Rich Freeman <ri...@gentoo.org> wrote: > On Tue, Apr 5, 2022 at 8:05 PM Sam James <s...@gentoo.org> wrote: > Our security fails currently if EITHER SHA2-512 or a hardened version > of SHA-1 are defeated. Our top gpg signature is bound to a git commit > record by SHA2-512, and the git commit record is bound to everything > else in the repository (including the manifest objects) by SHA-1, > because git hasn't transitioned away from that (as far as I'm aware it > is still a work in progress - the SHA-1 algorithm it uses is hardened > against known attacks).
Sort of. The security between infra and users relies on SHA2-512. The security between devs and infra relies on SHA-1. I guess the "full system" depends on both, but I've been focused on the more likely issue of a community-run mirror serving bogus files. > I agree that this is an unlikely scenario, so it is a judgement call > as to whether the ease of recovery in the event of a failure is worth > the cost to maintain the second hash. I agree that we'd need double > algorithms in the whole stack to prevent a failure, but in the current > state we do have advantages for recovering from a failure after the > fact. > > It seems that the likely scenario is that we get advance warning of > weaknesses in a hash function, but without a practical exploit being > readily available. In that case we could do a more orderly > transition. We'd still save time with the double hashed manifests, > and whether this makes a difference is hard to say. Yea I see this argument, but I don't quite buy it. Maintaining two sets of hashes for the unlikely event that one gets broken AND we absolutely cannot incrementally transition gradually to an unbroken one seems rather overblown. Jason
