Re: [dev] Checksums and Sig files for release gzip

From: Daniel Cegiełka <daniel.cegielka_AT_gmail.com>
Date: Tue, 13 Apr 2021 19:38:29 +0200

wt., 13 kwi 2021 o 18:05 Mattias Andrée <maandree_AT_kth.se> napisał(a):
>
> On Tue, 13 Apr 2021 16:57:39 +0200
> Sagar Acharya <sagaracharya_AT_tutanota.com> wrote:
>
> > Sure, any good signature. SHA512 is stronger than SHA1, MD5 and SHA256. It shouldn't take a second more than others. Why use a weaker checksum?
>
> SHA512 is actually more than twice as fast as SHA256 on 64-bit machines.
> (I don't know which is stronger).

> I see no point in having checksums at all, except for detecting bitrot.

BLAKE3 is one the best way to do it:

https://github.com/BLAKE3-team/BLAKE3

even blake2 is better then SHA256 or SHA512. Plus my _OLD_ one-file
implementation of blake2b (license the same as the original) and no
support for keys.

Daniel



> Signatures are of course good.
>
> > Thanking you
> > Sagar Acharya
> > https://designman.org
> >
> >
> >
> > 13 Apr 2021, 20:15 by daniel.cegielka_AT_gmail.com:
> >
> > > How/where SHA512 is better than SHA256 or SHA1? I don't see any added
> > > value in this. If someone breaks into your server and replace files,
> > > may also regenerate check sums (SHA256/512 or SHA3, scrypt etc.). The
> > > use of MD5 will be equally (un)safe as SHA512 :)
> > >
> > > A better solution is e.g. signify from OpenBSD or GnuPG.
> > >
> > > https://man.openbsd.org/signify
> > >
> > > Daniel
> > >
> > > wt., 13 kwi 2021 o 13:36 Sagar Acharya <sagaracharya_AT_tutanota.com> napisał(a):
> > >
> > >>
> > >> Can we have SHA512 checksums and sig files for the release gzips of suckless software?
> > >>
> > >> Thanking you
> > >> Sagar Acharya
> > >> https://designman.org
> > >>
> >
>
>

Received on Tue Apr 13 2021 - 19:38:29 CEST

This archive was generated by hypermail 2.3.0 : Wed Apr 14 2021 - 12:36:08 CEST