-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 08/14/2015 04:54 PM, Rich Freeman wrote: > On Fri, Aug 14, 2015 at 8:45 AM, Kristian Fiskerstrand > <[email protected]> wrote: >> >>> >>> 2. The question is why manifests are modified for rsync. In >>> git manifests are thin (only distfiles are there), in rsync >>> they also contain checksums for ebuilds and files dir content. >>> Do we really need this? These manifests are not signed now, so >>> of little use. >> >> They will be OpenPGP signed by a releng key during thickening >> and portage will auto-verify it using gkeys once things are in >> place. As such checksum for ebuilds and other files certainly >> needs to be part of the manifest, otherwise it can open up for >> malicious alterations of these files. >> > > As much as I'd love to see it all folded into git, the reality is > also that git signatures are only bound to files by a series of > sha1 hashes, and sha1 is not a strong hash function. Git really > ought to move to sha256 at some point, preferably in a manner that > makes it expandable in the future to other hash functions. But, > this isn't a high-priority for upstream.
I'm not really too worried about second preimage attacks on sha1 at the present time, so can understand that priority. > > The same limitation is true of any git gpg signature, including > tag signatures. It is all held together by sha1. The manifest > system is much stronger. > Well, it is only as good as the input it gets, so if the git infrastructure (if sha1 truly turns out to be an issue, presuming that it is verified at point of staging) or the staging area for rsync mirror is compromised (since the Manifests are signed when thickened, a compromise here can override everything else) it will replicate to users, so these points needs to be properly protected. - -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJVzgP7AAoJECULev7WN52F0QoIAMWD3crryd+J5wt4xYfTTRHl 6t4Jqhg5f4yIbC/9L7ldpqRpg/rNeO1kl7/vqHGTPQIuZXsbw+40LksFHhR9R6U+ lyt9d8pzDE2jjzKieLRYAXLmz0SWKB7HxBcnueaizYOFjSxJS4qcgCoj6u3X0t4B TTt1VOHP83t4WZGPSbGBhaqlHIFVbVf/NmaXEXvOqO7LmuLuR0CUNj5L0mZxNhIM W/ey0YzU/mwLpbDf/Xx0MGW8xFe5oVbLxruydYIWr6OVPSWwunn3vnU2fOWpN4Xx siJzTo2lLgJ7ypGwbvYpAmh3bH3pbOPqCvk7UD75Au+kHQkT7oqwlp2B1PErmQU= =+CcW -----END PGP SIGNATURE-----
