Summary: | [TRACKER] manifest-hashes replacement | ||
---|---|---|---|
Product: | Gentoo Council | Reporter: | Michał Górny <mgorny> |
Component: | unspecified | Assignee: | Gentoo Council <council> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | infra-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 634812, 634936, 642864, 658274 | ||
Bug Blocks: |
Description
Michał Górny
2017-10-24 18:16:56 UTC
(In reply to Michał Górny from comment #0) > Ok, so let's track our preparations for the manifest-hash switch. Not sure > about specific dates yet. > > > I think we want to do: > > manifest-hashes = SHA512 BLAKE2B This is fine if the goal is to keep two hashes in Manifest files. > for the migration period, then; > > manifest-hashes = BLAKE2B If we go for one hash only, then why not simply SHA512? It seems that would require the least changes, and it could be deployed immediately. Also SHA512 is still supported more widely. (Also note that for signing the top-level metamanifest, it has to be hashed by one of gnupg's internal hashes. Currently gnupg supports sha512 but not blake2, so when using blake2 in the tree we would have to rely on _both_ hashes being secure.) The Council has decided that there's nothing more to be really tracked by the Council here. The switch has succeeded, and the hash replacement is tracked in the other bug. |