Hello, everyone. TL;DR: if you're running your own repostiory, please 1) make sure that you don't include deprecated hashes in manifest-hashes, and 2) consider removing custom manifest-hashes and just going with the default.
Many third-party Gentoo repositories right now include manifest-hashes declaration in their metadata/layout.conf. From a quick look, I think that at least some of them are copied from ::gentoo at a particular time, and eventually grew out of date. One hash of particular concern is WHIRLPOOL. As of OpenSSL-3, it is not provided by default by OpenSSL-3 and therefore Portage started falling back to the very slow Python implementation. And by "very slow", I actually mean atrociously slow -- it takes 6 seconds to hash a 1 MiB file here [1]. While there are measures in place to avoid this, it brings a more general problem of outdated hashes to my attention. Therefore, I'd like to ask repository owners to: 1) Consider if they really need to redefine manifest-hashes. The key is not mandatory, and if the defaults work fine for you, please just remove it and let the PMs use the defaults. 2) Check if their custom manifest-hashes aren't obsolete. At least MD5, SHA1, RMD160 and WHIRLPOOL hashes should be considered deprecated at this moment. I'd also recommend including at least one BLAKE2 (BLAKE2B, BLAKE2S) or SHA2 (SHA256, SHA512) variant for the best interoperability combined with security. 3) Regenerate Manifests if they have changed manifest-hashes. TIA. [1] https://bugs.gentoo.org/885909 -- Best regards, Michał Górny
