tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Removing SHA1 as a distfile hash



Right now, pkgsrc uses three hash functions for ensuring the
integrity of distfiles:

- SHA512 is a US government standard and widely considered secure
  in the cryptography community.
- SHA1 is a former US government standard (withdrawn in 2011)
  that is widely considered broken for ensuring file integrity.
  It could cost about 45K USD for someone to generate a collision.
- RIPEMD-160 is an older less standardized hash (possibly notably,
  it's used in Bitcoin). Its status is less clear-cut to me.
  The digest size is quite small by today's standards.

I'd like to remove the SHA1 hashes now[0] and stop new ones
from being generated, since they do nothing but waste CPU cycles.
This leaves us with SHA512 and RMD160. Using at least two different
hashes is a good idea, in case one is found to be broken.

There's the question of whether we should adopt SHA3.  Personally, I'm
not keen on this. Like most US government crypto standards, SHA3 is
designed for performance when implemented in hardware, rather than
software. It's significantly slower than SHA512 in software.  On the
NetBSD side, we've got people running bulk builds on quite slow
hardware using distcc, and picking anything too intensive is unfair to
them. BLAKE2s is an alternative that's well regarded by cryptographers,
and faster than SHA512 in ristradh@'s portable C implementation.
It's also in the NetBSD kernel now, for use with wg(4). Eventually(tm),
it would be nice to completely replace SHA1 and RIPEMD-160 usage in
pkgsrc with BLAKE2s.

[0]: From distfiles. SHA1 is also used for patch checksums, with no
alternative, but it's not important for security there.


Home | Main Index | Thread Index | Old Index