bug 885909 showed us that we're not testing it enough in some configurations (like OpenSSL 3) and it's considered quite obsolete in the cryptography community. We should warn on it when used in a Manifest and warn when it's used in metadata/layout.conf at least. In portage-3.0.43 NEWS, I've added: > Whirlpool is considered deprecated within Portage and we recommend that > repository maintainers remove it from `metadata/layout.conf`!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=992cf6e5ecbc8de428792fe27bb821d04e03097c commit 992cf6e5ecbc8de428792fe27bb821d04e03097c Author: Sam James <sam@gentoo.org> AuthorDate: 2023-03-21 02:29:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-03-21 02:30:24 +0000 NEWS: update for checksum cleanups Bug: https://bugs.gentoo.org/597736 Bug: https://bugs.gentoo.org/615620 Bug: https://bugs.gentoo.org/885909 Bug: https://bugs.gentoo.org/888884 Signed-off-by: Sam James <sam@gentoo.org> NEWS | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) https://gitweb.gentoo.org/proj/portage.git/commit/?id=377a31434ae51b6e6465ba48b5132eb200a8cf40 commit 377a31434ae51b6e6465ba48b5132eb200a8cf40 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-03-20 03:16:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-03-21 02:30:23 +0000 checksum: drop STREEBOG{256,512} & pygost support For STREEBOG{256,512}, we had three options that we "supported": 1. using pygost; pygost is unpackaged in Gentoo and appears to, as of March 2023, been yanked from pypi too. Hence not only can we test it on the distribution where we do our development (Gentoo), but we also can't acquire it for CI easily either. 2. using pygcrypt; No longer in Gentoo and the codepath for this has been disabled since 2017(!) because of https://bugs.gentoo.org/615620. 3. a slow fallback implementation. This is not something we can rely on anyway, but this is especially wrong given the issues we've had recently with WHIRLPOOL. See https://bugs.gentoo.org/885909. As for whether we should support STREEBOG at all: - Per above, we don't have a decent implementation for it available. - We're not testing it very well. - Jugging obscure hash algorithms has become a pain because some of them have ended up being marked "legacy" or removed from OpenSSL by default. - I don't think we should have hash algorithms supported just for the sake of it. We're not in the business of supporting every single hash algorithm that a library with Python bindings out there provides. Bug: https://bugs.gentoo.org/597736 Bug: https://bugs.gentoo.org/615620 Bug: https://bugs.gentoo.org/885909 Bug: https://bugs.gentoo.org/888884 Signed-off-by: Sam James <sam@gentoo.org> lib/portage/checksum.py | 25 +------------------------ lib/portage/tests/util/test_checksum.py | 26 -------------------------- tox.ini | 1 - 3 files changed, 1 insertion(+), 51 deletions(-)
