Hello, On Tue 23 Jul 2019 at 08:13PM +02, Ansgar Burchardt wrote: > There are also other useful properties the current implementation has: > for example the archive contains the artifact that was signed. This can > be checked at a later time unlike a Git tag on salsa.d.o that may or may > not exist in the future. It is always possible to go back to the key > that was used to introduce an artifact without having to trust any > system. I mentioned this to you on IRC, but for the benefit of others reading, the DD-signed tag gets pushed to dgit-repos by the intermediary service, and cannot be deleted from there except by the service admin. Thus, with tag2upload it is possible to go back to the key that introduced the artifact in the way you describe. >> But >> if it's not simple to pick a different hash, SHA-1 preimage resistance is >> reasonable and the other design properties of the system should dominate >> any concern about SHA-1 preimage attacks. > > What about MD5's preimage resistance? We don't really care about > collision attacks after all. I can't see how MD5 is relevant to this discussion. > We have most infrastructure already using SHA-2 and there are > preparations to support newer hashes as well; it is a regression to > introduce a new system bound to SHA1 for the foreseeable future (and > given Git's use of SHA1 their need to require a strong hash is far > less). I think Russ' point is that this regression is a reasonable one, given the benefits against which it is to be traded off. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature