Hello, everyone.
TL;DR: if you're running your own repostiory, please 1) make sure that
you don't include deprecated hashes in manifest-hashes, and 2) consider removing custom manifest-hashes and just going with the default.
Many third-party Gentoo repositories right now include manifest-hashes declaration in their metadata/layout.conf. From a quick look, I think
that at least some of them are copied from ::gentoo at a particular
time, and eventually grew out of date.
One hash of particular concern is WHIRLPOOL. As of OpenSSL-3, it is not provided by default by OpenSSL-3 and therefore Portage started falling
back to the very slow Python implementation. And by "very slow", I
actually mean atrociously slow -- it takes 6 seconds to hash a 1 MiB
file here [1].
While there are measures in place to avoid this, it brings a more
general problem of outdated hashes to my attention. Therefore, I'd like
to ask repository owners to:
1) Consider if they really need to redefine manifest-hashes. The key is
not mandatory, and if the defaults work fine for you, please just remove
it and let the PMs use the defaults.
2) Check if their custom manifest-hashes aren't obsolete. At least MD5,
SHA1, RMD160 and WHIRLPOOL hashes should be considered deprecated
at this moment. I'd also recommend including at least one BLAKE2
(BLAKE2B, BLAKE2S) or SHA2 (SHA256, SHA512) variant for the best interoperability combined with security.
3) Regenerate Manifests if they have changed manifest-hashes.
TIA.
[1]
https://bugs.gentoo.org/885909
--
Best regards,
Michał Górny
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)