On Tue, May 24, 2011 at 06:36, Mark Stanislav <mark.stanis...@gmail.com> wrote:
> On May 24, 2011, at 1:38 AM, Daniel Pittman wrote:
>> On Fri, May 20, 2011 at 08:23, Nigel Kersten <ni...@puppetlabs.com> wrote:
>>> On Fri, May 20, 2011 at 5:39 AM, Mark Stanislav <mark.stanis...@gmail.com>
>>> wrote:
[…]
>> Larger keys, better hashing (probably by adding them as well as md5,
>> rather than just replacing it, etc.)
>
> I really don't know of any reason to implement MD5 at all. It *is* broken and
> we do have better algorithms to implement. Even if SHA-1 is on its last leg,
> it's still a step-up. SHA-256 is preferred, though.
Ah. We have a policy of supporting at least two major versions back,
and would generally prefer not to have to go and patch all the 2.6 and
2.7 releases out there when 2.8 moves to a more secure hash. (...or
0.25 and 2.6 when 2.7 adds it. ;)
So, it isn't a requirement for any reason other than our desire not to
make more work for ourselves than we need to; it would also be good to
get into a mode where we are good at changing the hash; SHA
derivatives won't last forever either.
Regards,
Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@puppetlabs.com>
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
