Adding SHA-512 to the list of digests

To: tech-pkg <tech-pkg%netbsd.org@localhost>
Subject: Adding SHA-512 to the list of digests
From: Alistair Crooks <agc%pkgsrc.org@localhost>
Date: Thu, 8 Oct 2015 11:21:55 -0700

Folks,

For distfile checksums, I'd like to add SHA-512 to our current mix of
SHA-1 and RMD160. The motivation for this is the new cryptanalysis
showing SHA-1 may well be forced a bit earlier, and/or a bit more
cheaply, than had been previously thought:

https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html

Even if the new analysis is overstating things (and I'm not sure it
is), it shows which way the trend is going, and it would be prudent to
add a more modern digest into the mix.

I realise all 3 digests are from the same family, but using SHA512
does add some further checking, and, yes, I'm aware of the research
that talks about issues aggregating digests, and the possibilities for
combining digests, see othersrc/external/bsd/multigest for an
implementation of that. The last time we changed a digest would have
been about 15 years ago. I'd like to get this in place in time for the
2015Q4 branch.

Technically, all that needs to be done is to add SHA512 to the list of
digests for distfiles:

--------------------------------------------------

cvs diff: Diffing mk/checksum
Index: mk/checksum/checksum.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/checksum/checksum.mk,v
retrieving revision 1.20
diff -u -r1.20 checksum.mk
--- mk/checksum/checksum.mk     16 Nov 2013 15:29:39 -0000      1.20
+++ mk/checksum/checksum.mk     8 Oct 2015 18:12:10 -0000
@@ -3,7 +3,7 @@
 # See bsd.checksum.mk for helpful comments.
 #

-_DIGEST_ALGORITHMS?=   SHA1 RMD160
+_DIGEST_ALGORITHMS?=   SHA1 RMD160 SHA512
 _PATCH_DIGEST_ALGORITHMS?=     SHA1

 # These variables are set by pkgsrc/mk/fetch/bsd.fetch-vars.mk.

--------------------------------------------------

And then when the distinfo file is generated, it will include an
SHA512 digest as well as the others. Similarly, if a package's
distinfo does not have a SHA512 digest, it will just use the existing
SHA1 and RMD160 ones.

In this way, pkgsrc distinfo files will be updated over time to have 3
digests, with a mopping up operation for some of the packages which
aren't so volatile.

Does anyone have any problems with this?

Thanks,
Alistair

Follow-Ups:
- Re: Adding SHA-512 to the list of digests
  - From: Joerg Sonnenberger
- Re: Adding SHA-512 to the list of digests
  - From: Taylor R Campbell
- Re: Adding SHA-512 to the list of digests
  - From: Tobias Nygren

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: Adding SHA-512 to the list of digests
Previous by Thread: daily pkgsrc CVS update output
Next by Thread: Re: Adding SHA-512 to the list of digests
Indexes:

Home | Main Index | Thread Index | Old Index