Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

Michał Górny schrieb: I think the first reasonable change would be to deprecate SHA256. It is pretty much the same algorithm as SHA512, except for different parameters. It is weaker than SHA512, and SHA512 is supported on all existing platforms anyway. I think there is nothing wrong or

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

[Sent from my iPad, as it is not a secured device there are no cryptographic keys on this device, meaning this message is sent without an OpenPGP signature. In general you should *not* rely on any information sent over such an unsecure channel, if you find any information controversial or

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

> On Mon, 3 Apr 2017, Dirkjan Ochtman wrote: > This seems pretty hasty. > First of all, SHA-256 should be safe for all intents and purposes, > and for the foreseeable future. This is nothing like Git's usage of > SHA-1, which was known to be on the way to brokenville for a long > time. I

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

Hi, On Mon, 3 Apr 2017 22:00:15 +0200 Dirkjan Ochtman wrote: > First of all, SHA-256 should be safe for all intents and purposes, and > for the foreseeable future. This is nothing like Git's usage of SHA-1, > which was known to be on the way to brokenville for a long time. I >

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

On Mon, Apr 3, 2017 at 7:09 PM, Michał Górny wrote: > Your thoughts? This seems pretty hasty. First of all, SHA-256 should be safe for all intents and purposes, and for the foreseeable future. This is nothing like Git's usage of SHA-1, which was known to be on the way to

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

On wto, 2017-04-04 at 00:32 +0700, Vadim A. Misbakh-Soloviov wrote: > Good idea, but all the time I read it from first mention until the end of > your > email, I asked myself: "Who the hell on the Earth need GOST-crypto crap in > portage?". > > The only purpose of this crypto algorythms is to

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

On Tue, Apr 04, 2017 at 12:49:16AM +0700, Vadim A. Misbakh-Soloviov wrote: > > What is the gain of using a secure hash > > algorithm in the manifests if you can simply replace the manifest with a > > MITM attack on the rsync update? > I'd say "the solution is to stop using rsync and use git"

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

On Mon, 2017-04-03 at 19:09 +0200, Michał Górny wrote: > Therefore, my proposal would be to use the following set once their > support reaches the stable version of Portage: > >   manifest-hashes = SHA512 SHA3-512 WHIRLPOOL > > > Your thoughts? > > > > [1]:https://bugs.gentoo.org/612716 >

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

> What is the gain of using a secure hash > algorithm in the manifests if you can simply replace the manifest with a > MITM attack on the rsync update? I'd say "the solution is to stop using rsync and use git" (there is git mirror with all the metadata), but... Git does not support (correct me,

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

Good idea, but all the time I read it from first mention until the end of your email, I asked myself: "Who the hell on the Earth need GOST-crypto crap in portage?". The only purpose of this crypto algorythms is to use them in Russian government-related structures (includig schools, tho :-/ )

Re: [gentoo-dev] [RFC] New Manifest hashes and how to enable them

> manifest-hashes = SHA512 SHA3-512 WHIRLPOOL > > Your thoughts? I just want to point out that according to GLEP 63 we only require pgp signatures with at least sha-256 [1]. Further, our PGP signatures by the release team are as well either SHA-256/SHA-512. So using SHA3-512 (or whirlpool for

[gentoo-dev] [RFC] New Manifest hashes and how to enable them

Hi, everyone. I'd like to open an early discussion and start planning transition to an updated set of Manifest hashes. Current state = The current hash set includes the three following hashes: - SHA256 (SHA2), - SHA512 (SHA2), - Whirlpool. Of these three hashes, SHA256 is