On Fri, May 01, 2009 at 01:50:16PM -0700, Bart Smaalders wrote: > Well, 2009.06 doesn't yet have manifest signing; content hashing > has so far worked well w/ sha1.
For IPS' purposes, yes, but for detecting malicious changes via pkg verification, not so much. That's irrespective of manifest signing since one can always trust the repositories and rely on TLS. That said, I don't think a delay is fatal, but for an enterprise release IPS reliance on SHA-1 would be near fatal at this point. Also, there's more to the switch to SHA-256 (or better) than just changing the hash function. You'll need to support SHA-1 still because of pkgs that used that for their content hash. _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
