On 24/07/2021 16:16, Michał Górny wrote:
Hi, everyone.
I've been asked to repost the idea of removing SHA512 hash from
Manifests, effectively limiting them to BLAKE2B.
The 'old' set of Gentoo hashes including SHA512 went live in July 2012.
In November 2017, we have decided to remove the two other hashes and add
BLAKE2B in their stead. Today, all Gentoo packages are using BLAKE2B
and SHA512 hashes.
To all extent, this is purely a cosmetic change. The benefit from
removing the additional hash is negligible, both from space perspective
and hashing speed perspective. The benefit from keeping two hashes is
also negligible.
Back during the 2017 discussion, Infra came to the conclusion that we're
going to keep SHA512 for a transition period, then remove it, and stay
with a single hash algorithm. In my opinion, we have kept it long
enough.
WDYT?
I use Gentoo heavily in my work but not a developer, so only offering a
user perspective. I find SHA512 hashes in Manifests, of upstream
provided tarballs (i.e. DIST entries) only, very useful when manually
comparing with hashes provided by upstream sources. BLAKE2B may be
better than SHA512 in certain respects but adoption elsewhere by
comparison is extremely low. Granted SHA512 hashes of upstream files are
certainly not plentiful (and it is shocking how many project still use
MD5) but at least some projects provide them. I've personally never seen
any project provide a BLAKE2B hash for a sources tarball. Additionally,
as stated by someone else already, there is SHA512 hardware acceleration
support on many systems. This can save precious time in certain
scenarios when doing manual checks on large files.
If there is little benefit to removing SHA512 it seems to me that there
are significant benefits to keeping it. I for one would be quite
disappointed to see it go.
