>>>>> On Tue, 05 Apr 2022, Jason A Donenfeld wrote: > Huh. Something not brought up there or https://bugs.gentoo.org/784710 > is the fact that the _security_ of the system reduces to SHA-512 as > used by our GPG signatures.
The hash algorithm would be the least of my concerns about the security of these signatures. IIUC, the secret signing key is stored on a machine that is connected to the network (Infra, please correct me if I'm wrong). So there are other more likely attack vectors than a preimage attack on a 512 bit hash function. Also: https://xkcd.com/538/ :) Ulrich
signature.asc
Description: PGP signature
