On Sat, 2021-07-24 at 17:15 -0400, Joshua Kinard wrote: > On 7/24/2021 11:16, Michał Górny wrote: > > Hi, everyone. > > > > I've been asked to repost the idea of removing SHA512 hash from > > Manifests, effectively limiting them to BLAKE2B. > > > > The 'old' set of Gentoo hashes including SHA512 went live in July 2012. > > In November 2017, we have decided to remove the two other hashes and add > > BLAKE2B in their stead. Today, all Gentoo packages are using BLAKE2B > > and SHA512 hashes. > > > > To all extent, this is purely a cosmetic change. The benefit from > > removing the additional hash is negligible, both from space perspective > > and hashing speed perspective. The benefit from keeping two hashes is > > also negligible. > > > > Back during the 2017 discussion, Infra came to the conclusion that we're > > going to keep SHA512 for a transition period, then remove it, and stay > > with a single hash algorithm. In my opinion, we have kept it long > > enough. > > > > WDYT? > > Are there any security benefits/consequences of keeping two/one? If no to > consequences, then I don't see a problem dropping SHA512.
To the best of my knowledge, the consequences are negligible. > And are we looking at BLAKE3 hash support at all for the future? I know > that algo is fairly new (Jan 2020). A quick read indicates it merges a > number of the BLAKE2 variants together and is faster in some areas of > execution. Not at the moment. I see they've eventually made a C implementation, so maybe it's worth looking into. OTOH we may want to wait till it's part of CPython, or at least has C-based Python bindings. -- Best regards, Michał Górny
