Hi
I'd like to propose the following for portage:
- Only support one "secure" hash function (such as sha2, sha3, blake2, etc)
- Only generate and parse one hash function in Manifest files
- Remove support for multiple hash functions
No, this has no benefit.
In other words, what are we actually getting by having _both_ SHA2-512
and BLAKE2b for every file in every Manifest?
Implementations are often broken and we have to expect zero day attacks
on hashes and on signatures. Hence it does not hurt to have a second hash.
It is very likely that we can not trust in X for a while in the next
years, but it is very unlikely that two different implementations are
affected.
Additionally calculating a second hash does not cost anything.
This was also the outcome of the discussion some time ago here.
--
Best,
Jonas
