On 2021-07-25 08:27, Michał Górny wrote:
On Sun, 2021-07-25 at 01:12 +0200, Thomas Deutschmann wrote:I don't understand. Isn't it the same motion we put down just 2 months ago [1]? Or is this something new?If this isn't something new, what has changed since May [2]?Apparently it has not been 'put down' because it came back via open bugs.
Open bugs? Could you please link them here?
To remember: Currently we have two different hashes for every distfile. If we are going to throw this data away, we should really have good reasons to do that. Like said during that council meeting, BLAKE2B and SHA512 are competing hashes. What's wrong with having a backup plan even for a very unlikely scenario, that BLAKE2B will get broken?Define 'broken'.
To quote from chapter 9 of the Handbook of Applied Cryptography, by Menezes, van Oorschot and Vanstone:
If, for a given hash function, an attack is found, which, by exploiting special details of how the hash function operates, finds a preimage, a second preimage or a collision faster than the corresponding generic attack, then the hash function is said to be "broken".
This happened publicly for SHA1 in 2017.
Remember that verify-sig.eclass I criticized last year? Of course some scenarios I outlined were very unlikely and I never expected that I can run around in near future saying "I told you". But in January 2021, CVE-2021-3345 happened in libgcrypt...I don't see how this is relevant either. Are you admitting that you're criticizing all my ideas because I just happen to propose them?
No, I am not criticizing ideas because *you* proposed them. I share my criticism when I have some concerns or believe the proposal has some flaws. You maybe have that impression because you are very active and most proposals are coming from you. In the end, we both are hopefully sharing the same goal to make Gentoo better...
-- Regards, Thomas Deutschmann / Gentoo Linux Developer fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
OpenPGP_signature
Description: OpenPGP digital signature
