[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] [RFC] Removing SHA512 hash from Manifests
From:       Thomas Deutschmann <whissi () gentoo ! org>
Date:       2021-07-26 15:24:29
Message-ID: c848c0ae-3252-53f9-5ce0-be455a25d0d4 () gentoo ! org
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


On 2021-07-25 08:27, Michał Górny wrote:
> On Sun, 2021-07-25 at 01:12 +0200, Thomas Deutschmann wrote:
>> I don't understand. Isn't it the same motion we put down just 2
>> months ago [1]? Or is this something new?
>> 
>> If this isn't something new, what has changed since May [2]?
> 
> Apparently it has not been 'put down' because it came back via open 
> bugs.

Open bugs? Could you please link them here?


>> To remember: Currently we have two different hashes for every
>> distfile. If we are going to throw this data away, we should really
>> have good reasons to do that. Like said during that council
>> meeting, BLAKE2B and SHA512 are competing hashes. What's wrong with
>> having a backup plan even for a very unlikely scenario, that
>> BLAKE2B will get broken?
> 
> Define 'broken'.

To quote from chapter 9 of the Handbook of Applied Cryptography, by
Menezes, van Oorschot and Vanstone:

> If, for a given hash function, an attack is found, which, by
> exploiting special details of how the hash function operates, finds a
> preimage, a second preimage or a collision faster than the
> corresponding generic attack, then the hash function is said to be
> "broken".

This happened publicly for SHA1 in 2017.


>> Remember that verify-sig.eclass I criticized last year? Of course
>> some scenarios I outlined were very unlikely and I never expected
>> that I can run around in near future saying "I told you". But in
>> January 2021, CVE-2021-3345 happened in libgcrypt...
> 
> I don't see how this is relevant either.  Are you admitting that
> you're criticizing all my ideas because I just happen to propose
> them?

No, I am not criticizing ideas because *you* proposed them. I share my 
criticism when I have some concerns or believe the proposal has some 
flaws. You maybe have that impression because you are very active and 
most proposals are coming from you. In the end, we both are hopefully 
sharing the same goal to make Gentoo better...


-- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5


["OpenPGP_signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]