> manifest-hashes = SHA512 SHA3-512 WHIRLPOOL > > Your thoughts?
I just want to point out that according to GLEP 63 we only require pgp signatures with at least sha-256 [1]. Further, our PGP signatures by the release team are as well either SHA-256/SHA-512. So using SHA3-512 (or whirlpool for that matter) is nice but it feels a bit like overdoing it a bit. What about simply SHA512 and calling it a day? Further, it might be a good time to finally resolve the issue with our rsync integrity for users. (What is the gain of using a secure hash algorithm in the manifests if you can simply replace the manifest with a MITM attack on the rsync update?) Best, Matthias [1] https://wiki.gentoo.org/wiki/GLEP:63#Specifications_for_GnuPG_keys
signature.asc
Description: PGP signature
