[bug#41382] [PATCH 0/6] Allow for a cryptographic hash function migratio

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#41382] [PATCH 0/6] Allow for a cryptographic hash function migratio

From:	Ludovic Courtès
Subject:	[bug#41382] [PATCH 0/6] Allow for a cryptographic hash function migration
Date:	Thu, 21 May 2020 22:46:18 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

Hi!

Marius Bakke <address@hidden> skribis:

[...]

>> and to automatically “convert” the ‘sha256’ field specification to a
>> ‘content-hash’.  Due to the way identifiers are matched, there are cases
>> where we can’t preserve the illusion of compatibility, as can be seen
>> with the patch below.  Perhaps that’s acceptable, though.
>>
>> Thoughts?
>
> This is a great initiative, and the patches LGTM.

Great, thanks for taking a look.

> I think that if we are to move away from SHA256, we should go with
> something that is immune to length extension attacks[0] such as BLAKE2/3
> or SHA-3 (Keccak).

That makes sense to me.

I think we have time to think about it.  When we choose to switch, we
should change all the tools (importers, ‘guix download’, etc.) and
documentation to default to the new hash so migration can happen
consistently.

> Although I don't know any Guile implementations of those as of yet.

Libgcrypt supports them, so we can definitely use them.  I realize we
also need to extend nix/libutil/hash.{cc,hh}.

> SHA512 does not improve much security-wise IMO, but maybe it's
> worthwhile as s stop-gap.

Yeah, I’m not sure.  We should definitely keep an eye on what others are
doing and what crypto folks recommend.

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#41382] [PATCH 0/6] Allow for a cryptographic hash function migration, Ludovic Courtès, 2020/05/18
- [bug#41382] [PATCH 1/6] tests: Test 'add-to-store' with several hash algorithms., Ludovic Courtès, 2020/05/18
  - [bug#41382] [PATCH 3/6] guix hash, guix download: Add '--hash'., Ludovic Courtès, 2020/05/18
  - [bug#41382] [PATCH 2/6] tests: Test fixed-output derivations with several hash algorithms., Ludovic Courtès, 2020/05/18
  - [bug#41382] [PATCH 5/6] packages: Add 'sha512' optional field to <origin>., Ludovic Courtès, 2020/05/18
  - [bug#41382] [PATCH 4/6] guix hash, guix download: Support base64 format., Ludovic Courtès, 2020/05/18
  - [bug#41382] [PATCH 6/6] packages: Add 'base64' macro., Ludovic Courtès, 2020/05/18
- [bug#41382] [PATCH 0/6] Allow for a cryptographic hash function migration, Ludovic Courtès, 2020/05/19
  - [bug#41382] [PATCH 0/6] Allow for a cryptographic hash function migration, Marius Bakke, 2020/05/19
    - [bug#41382] [PATCH 0/6] Allow for a cryptographic hash function migration, Leo Famulari, 2020/05/19
    - [bug#41382] [PATCH 0/6] Allow for a cryptographic hash function migration, Ludovic Courtès <=
    - bug#41382: [PATCH 0/6] Allow for a cryptographic hash function migration, Ludovic Courtès, 2020/05/21

Prev by Date: [bug#41439] [PATCH] gnu: mediainfo: Update to 20.03.
Next by Date: [bug#41260] [PATCH v2] guix package: Support multiple profiles with '--list-installed'.
Previous by thread: [bug#41382] [PATCH 0/6] Allow for a cryptographic hash function migration
Next by thread: bug#41382: [PATCH 0/6] Allow for a cryptographic hash function migration
Index(es):
- Date
- Thread