Hi Jonas, On Tue, Apr 5, 2022 at 11:20 PM Jonas Stein <jst...@gentoo.org> wrote: > > In other words, what are we actually getting by having _both_ SHA2-512 > > and BLAKE2b for every file in every Manifest? > > Implementations are often broken and we have to expect zero day attacks > on hashes and on signatures. Hence it does not hurt to have a second hash. > > It is very likely that we can not trust in X for a while in the next > years, but it is very unlikely that two different implementations are > affected.
This is the part that doesn't really make any sense to me. The security of the system reduces to the SHA512 used by those GPG signatures. If SHA512 breaks, the fact that our Manifest files also use BLAKE2b isn't going to help us, since an attacker could presumably, in that case, forge the signatures that we're using as a root of trust. I don't see what a second hash buys us from a security perspective here. What attack model do you have where it makes sense? > Additionally calculating a second hash does not cost anything. How is that possible? Doesn't calculating two things always cost more than calculating one? If what you actually mean is, "performance is not important," we can discuss that, but it sounds like you're saying that there's zero performance impact. How does that work exactly? Is only one calculated at emerge time or something clever like that? Jason
