> On Wed, 06 Apr 2022, Jason A Donenfeld wrote:
> I think actually the argument I'm making this time might be subtly
> different from the motions that folks went through last year.
> Specifically, the idea last year was to switch to using BLAKE2b only.
> I think what the arguments I'm making n
On Tue, Apr 5, 2022 at 8:05 PM Sam James wrote:
> > On 5 Apr 2022, at 22:13, Jonas Stein wrote:
> >
> >> In other words, what are we actually getting by having _both_ SHA2-512
> >> and BLAKE2b for every file in every Manifest?
> >
> > Implementations are often broken and we have to expect zero da
> On 6 Apr 2022, at 01:15, Jason A. Donenfeld wrote:
>
> Hi Sam,
>
> On Wed, Apr 6, 2022 at 2:02 AM Sam James wrote:
>> This matches my views and recollection. We could revisit it
>> if there was a passionate advocate (which it looks like there may well be).
>>
>> While I wasn't against it b
Hi Sam,
On Wed, Apr 6, 2022 at 2:02 AM Sam James wrote:
> This matches my views and recollection. We could revisit it
> if there was a passionate advocate (which it looks like there may well be).
>
> While I wasn't against it before, I was sort of ambivalent given
> we had no strong reason to, bu
> On 5 Apr 2022, at 22:13, Jonas Stein wrote:
>
> Hi
>
>> I'd like to propose the following for portage:
>> - Only support one "secure" hash function (such as sha2, sha3, blake2, etc)
>> - Only generate and parse one hash function in Manifest files
>> - Remove support for multiple hash functio
Hi Matt,
On Tue, Apr 5, 2022 at 10:38 PM Matt Turner wrote:
>
> On Tue, Apr 5, 2022 at 12:30 PM Jason A. Donenfeld wrote:
> > By the way, we're not currently _checking_ two hash functions during
> > src_prepare(), are we?
>
> I don't know, but the hash-checking is definitely checked before
> sr
Hi Jonas,
On Tue, Apr 5, 2022 at 11:20 PM Jonas Stein wrote:
> > In other words, what are we actually getting by having _both_ SHA2-512
> > and BLAKE2b for every file in every Manifest?
>
> Implementations are often broken and we have to expect zero day attacks
> on hashes and on signatures. Henc
Hi Ulrich,
On Tue, Apr 5, 2022 at 10:15 PM Ulrich Mueller wrote:
>
> > On Tue, 05 Apr 2022, Jason A Donenfeld wrote:
>
> > Huh. Something not brought up there or https://bugs.gentoo.org/784710
> > is the fact that the _security_ of the system reduces to SHA-512 as
> > used by our GPG signatur
Hi
I'd like to propose the following for portage:
- Only support one "secure" hash function (such as sha2, sha3, blake2, etc)
- Only generate and parse one hash function in Manifest files
- Remove support for multiple hash functions
No, this has no benefit.
In other words, what are we actua
On Tue, Apr 5, 2022 at 12:30 PM Jason A. Donenfeld wrote:
> By the way, we're not currently _checking_ two hash functions during
> src_prepare(), are we?
I don't know, but the hash-checking is definitely checked before src_prepare().
> On Tue, 05 Apr 2022, Jason A Donenfeld wrote:
> Huh. Something not brought up there or https://bugs.gentoo.org/784710
> is the fact that the _security_ of the system reduces to SHA-512 as
> used by our GPG signatures.
The hash algorithm would be the least of my concerns about the security
o
Hi Matt,
On Tue, Apr 5, 2022 at 8:58 PM Matt Turner wrote:
> This was a topic in June 2021's Council meeting:
>
> https://gitweb.gentoo.org/sites/projects/council.git/tree/meeting-logs/20210613-summary.txt#n33
> https://gitweb.gentoo.org/sites/projects/council.git/tree/meeting-logs/20210613.txt#n
On Tue, Apr 5, 2022 at 11:47 AM Jason A. Donenfeld wrote:
>
> Hi Michal,
>
> On Tue, Apr 05, 2022 at 02:49:12PM +, Michał Górny wrote:
> > > I don't really care which one we use, so long as it's not already
> > > broken or too obscure/new. So in other words, any one of SHA2-256,
> > > SHA2-512
Hi Michal,
On Tue, Apr 05, 2022 at 02:49:12PM +, Michał Górny wrote:
> > I don't really care which one we use, so long as it's not already
> > broken or too obscure/new. So in other words, any one of SHA2-256,
> > SHA2-512, SHA3, BLAKE2b, BLAKE2s would be fine with me. Can we just
> > pick one
Hi Ulrich,
On Tue, Apr 5, 2022 at 4:10 PM Ulrich Mueller wrote:
> The OpenPGP signature is for the top-level Manifest only. In case there
> was any trouble, it would be trivial to change the hash algorithm used
> for this.
>
> In constrast to that, updating the hashes in all Manifest files is a
>
On Tue, 2022-04-05 at 01:41 +0200, Jason A. Donenfeld wrote:
> Hi,
>
> I'd like to propose the following for portage:
>
> - Only support one "secure" hash function (such as sha2, sha3, blake2, etc)
> - Only generate and parse one hash function in Manifest files
> - Remove support for multiple has
> On Tue, 05 Apr 2022, Jason A Donenfeld wrote:
> - GPG signatures are already over the SHA512 of the plain text, so
> they security of the system already reduces to that. By choosing
> SHA512, we don't add more risk, whilst choosing something else means
> we're in trouble if either one has a
To move things forward with something more concrete:
On 4/5/22, Jason A. Donenfeld wrote:
> Hi,
>
> I'd like to propose the following for portage:
>
> - Only support one "secure" hash function (such as sha2, sha3, blake2, etc)
> - Only generate and parse one hash function in Manifest files
> - Re
Support GPEP517_TESTING variable to enable using dev-python/gpep517
instead of inline Python snippets. This is meant to provide
the necessary testing before we stabilize it and switch over.
Signed-off-by: Michał Górny
---
eclass/distutils-r1.eclass | 88 --
1
# Sergey Popov (2022-04-05)
# Upstream is dead long time ago
# SRC_URI and HOMEPAGE are gone(bug #680362)
# Has file collision with dev-util/bcc(bug #834093)
# Suggested modern replacement is incorporated in dev-util/bcc
# Removal in 30 days
app-misc/ttysnoop
# Volkmar W. Pogatzki (2022-04-04)
# Last upstream activities in 2009.
# Fails to compile with java 11 or higher (bug #831262).
# Removal in 30 days.
net-misc/jrdesktop
- Flow
21 matches
Mail list logo
