On 10/20/2017 11:10 AM, Dirkjan Ochtman wrote: > > I support Hanno's suggestion of doing just SHA512, but would be > interested in hearing opinions from others who have apparent > security/crypto experience. Maybe the Security project can weigh the > suggestions as well? >
The whole discussion is moot so long as we don't have OpenPGP signed gentoo repository in rsync. SHA2-512 is generally quicker than sha256 on 64 bit architectures, but considerably slower for some architectures. Introducing a non-optimized keccak on top of it will have a significant negative performance impact for these arches without much security gain. if we still want two separate hashes, the choice of sha2 and sha3 compination is a good one given they are based on separate constructs. But IMHO we should start where things matter and complete an implementation for OpenPGP signatures of MetaManifests in Portage. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
