/[gentoo]/xml/htdocs/proj/en/glep/glep-0059.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0059.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.6 Revision 1.9
25<tbody valign="top"> 25<tbody valign="top">
26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">59</td> 26<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">59</td>
27</tr> 27</tr>
28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 hash policies and security implications</td> 28<tr class="field"><th class="field-name">Title:</th><td class="field-body">Manifest2 hash policies and security implications</td>
29</tr> 29</tr>
30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.5</td> 30<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.6</td>
31</tr> 31</tr>
32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0059.txt?cvsroot=gentoo">2010/01/31 07:55:45</a></td> 32<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference external" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0059.txt?cvsroot=gentoo">2010/01/31 09:55:43</a></td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td> 34<tr class="field"><th class="field-name">Author:</th><td class="field-body">Robin Hugh Johnson &lt;robbat2&#32;&#97;t&#32;gentoo.org&gt;,</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 36<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
37</tr> 37</tr>
83<h1><a class="toc-backref" href="#id2">Motivation</a></h1> 83<h1><a class="toc-backref" href="#id2">Motivation</a></h1>
84<p>This GLEP is being written as part of the work on signing the Portage 84<p>This GLEP is being written as part of the work on signing the Portage
85tree, but is only tangentially related to the actual signing of 85tree, but is only tangentially related to the actual signing of
86Manifests. Checksums present one possible weak point in the overall 86Manifests. Checksums present one possible weak point in the overall
87security of the tree - and a comprehensive security plan is needed.</p> 87security of the tree - and a comprehensive security plan is needed.</p>
88<p>This GLEP is not mandatory for the tree-signing specification, but
89instead aims to improve the security of the hashes used in Manifest2.
90As such, it is also able to stand on it's own.</p>
88</div> 91</div>
89<div class="section" id="specification"> 92<div class="section" id="specification">
90<h1><a class="toc-backref" href="#id3">Specification</a></h1> 93<h1><a class="toc-backref" href="#id3">Specification</a></h1>
91<div class="section" id="the-bad-news"> 94<div class="section" id="the-bad-news">
92<h2><a class="toc-backref" href="#id4">The bad news</a></h2> 95<h2><a class="toc-backref" href="#id4">The bad news</a></h2>
151defeated.</p> 154defeated.</p>
152<p>As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms. 155<p>As soon as feasible, we should add the SHA512 and WHIRLPOOL algorithms.
153In future, as stream-based checksums are developed (in response to the 156In future, as stream-based checksums are developed (in response to the
154development by NIST [AHS]), they should be considered and used.</p> 157development by NIST [AHS]), they should be considered and used.</p>
155<p>The SHA512 algorithm is available in Python 2.5, which has been a 158<p>The SHA512 algorithm is available in Python 2.5, which has been a
156dependency of Portage since approximately Python 2.1.6.13.</p> 159dependency of Portage since approximately Portage 2.1.6.13.</p>
157<p>The WHIRLPOOL checksum is not available within the PyCrypto library or 160<p>The WHIRLPOOL checksum is not available within the PyCrypto library or
158hashlib that is part of Python 2.5, but there are multiple alternative 161hashlib that is part of Python 2.5, but there are multiple alternative
159Python implementations available, ranging from pure Python to C-based 162Python implementations available, ranging from pure Python to C-based
160(python-mhash).</p> 163(python-mhash).</p>
161<p>The existence unsupported hash is not considered to be a failure unless 164<p>The existence unsupported hash is not considered to be a failure unless
177</div> 180</div>
178<div class="section" id="backwards-compatibility"> 181<div class="section" id="backwards-compatibility">
179<h1><a class="toc-backref" href="#id9">Backwards Compatibility</a></h1> 182<h1><a class="toc-backref" href="#id9">Backwards Compatibility</a></h1>
180<p>Old versions of Portage may support and expect only specific checksums. 183<p>Old versions of Portage may support and expect only specific checksums.
181This is accounted for in the checksum depreciation discussion.</p> 184This is accounted for in the checksum depreciation discussion.</p>
185<p>For maximum compatiability, we should only have to include each of the
186old algorithms that we are officially still supporting, as well as the
187new ones that we prefer.</p>
182</div> 188</div>
183<div class="section" id="references"> 189<div class="section" id="references">
184<h1><a class="toc-backref" href="#id10">References</a></h1> 190<h1><a class="toc-backref" href="#id10">References</a></h1>
185<dl class="docutils"> 191<dl class="docutils">
186<dt>[AHS] NIST (2007). &quot;NIST's Plan for New Cryptographic Hash Functions&quot;,</dt> 192<dt>[AHS] NIST (2007). &quot;NIST's Plan for New Cryptographic Hash Functions&quot;,</dt>
242 248
243</div> 249</div>
244<div class="footer"> 250<div class="footer">
245<hr class="footer" /> 251<hr class="footer" />
246<a class="reference external" href="glep-0059.txt">View document source</a>. 252<a class="reference external" href="glep-0059.txt">View document source</a>.
247Generated on: 2010-01-31 07:55 UTC. 253Generated on: 2010-02-02 05:44 UTC.
248Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 254Generated by <a class="reference external" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference external" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
249 255
250</div> 256</div>
251</body> 257</body>
252</html> 258</html>

Legend:
Removed from v.1.6  
changed lines
  Added in v.1.9

  ViewVC Help
Powered by ViewVC 1.1.20