Michał Górny schrieb:
I think the first reasonable change would be to deprecate SHA256. It is
pretty much the same algorithm as SHA512, except for different
parameters. It is weaker than SHA512, and SHA512 is supported on all
existing platforms anyway.
I think there is nothing wrong or insecure
[Sent from my iPad, as it is not a secured device there are no cryptographic
keys on this device, meaning this message is sent without an OpenPGP signature.
In general you should *not* rely on any information sent over such an unsecure
channel, if you find any information controversial or un-e
> On Mon, 3 Apr 2017, Dirkjan Ochtman wrote:
> This seems pretty hasty.
> First of all, SHA-256 should be safe for all intents and purposes,
> and for the foreseeable future. This is nothing like Git's usage of
> SHA-1, which was known to be on the way to brokenville for a long
> time. I don'
Hi,
On Mon, 3 Apr 2017 22:00:15 +0200
Dirkjan Ochtman wrote:
> First of all, SHA-256 should be safe for all intents and purposes, and
> for the foreseeable future. This is nothing like Git's usage of SHA-1,
> which was known to be on the way to brokenville for a long time. I
> don't think there
On Mon, Apr 3, 2017 at 7:09 PM, Michał Górny wrote:
> Your thoughts?
This seems pretty hasty.
First of all, SHA-256 should be safe for all intents and purposes, and
for the foreseeable future. This is nothing like Git's usage of SHA-1,
which was known to be on the way to brokenville for a long t
On wto, 2017-04-04 at 00:32 +0700, Vadim A. Misbakh-Soloviov wrote:
> Good idea, but all the time I read it from first mention until the end of
> your
> email, I asked myself: "Who the hell on the Earth need GOST-crypto crap in
> portage?".
>
> The only purpose of this crypto algorythms is to u
On Tue, Apr 04, 2017 at 12:49:16AM +0700, Vadim A. Misbakh-Soloviov wrote:
> > What is the gain of using a secure hash
> > algorithm in the manifests if you can simply replace the manifest with a
> > MITM attack on the rsync update?
> I'd say "the solution is to stop using rsync and use git" (there
On Mon, 2017-04-03 at 19:09 +0200, Michał Górny wrote:
> Therefore, my proposal would be to use the following set once their
> support reaches the stable version of Portage:
>
> manifest-hashes = SHA512 SHA3-512 WHIRLPOOL
>
>
> Your thoughts?
>
>
>
> [1]:https://bugs.gentoo.org/612716
> [2]
> What is the gain of using a secure hash
> algorithm in the manifests if you can simply replace the manifest with a
> MITM attack on the rsync update?
I'd say "the solution is to stop using rsync and use git" (there is git mirror
with all the metadata), but...
Git does not support (correct me, i
Good idea, but all the time I read it from first mention until the end of your
email, I asked myself: "Who the hell on the Earth need GOST-crypto crap in
portage?".
The only purpose of this crypto algorythms is to use them in Russian
government-related structures (includig schools, tho :-/ ) ju
> manifest-hashes = SHA512 SHA3-512 WHIRLPOOL
>
> Your thoughts?
I just want to point out that according to GLEP 63 we only require pgp
signatures with at least sha-256 [1]. Further, our PGP signatures by the
release team are as well either SHA-256/SHA-512.
So using SHA3-512 (or whirlpool for t
Hi, everyone.
I'd like to open an early discussion and start planning transition to
an updated set of Manifest hashes.
Current state
=
The current hash set includes the three following hashes:
- SHA256 (SHA2),
- SHA512 (SHA2),
- Whirlpool.
Of these three hashes, SHA256 is considere
12 matches
Mail list logo