lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZwmxaetqecTR5jAE@bombadil.infradead.org>
Date: Fri, 11 Oct 2024 16:14:49 -0700
From: Luis Chamberlain <mcgrof@...nel.org>
To: Thorsten Leemhuis <linux@...mhuis.info>
Cc: Sami Tolvanen <samitolvanen@...gle.com>, sedat.dilek@...il.com,
	Petr Pavlu <petr.pavlu@...e.com>,
	Daniel Gomez <da.gomez@...sung.com>, linux-modules@...r.kernel.org,
	Masahiro Yamada <masahiroy@...nel.org>,
	linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1] module: sign with sha512 by default to avoid
 build errors

On Fri, Oct 11, 2024 at 02:00:47PM +0200, Thorsten Leemhuis wrote:
> On 11.10.24 12:27, Thorsten Leemhuis wrote:
> > On 10.10.24 17:52, Sami Tolvanen wrote:
> > Thx for your feedback!
> >> On Thu, Oct 10, 2024 at 1:57 AM Thorsten Leemhuis <linux@...mhuis.info> wrote:
> >>> On 10.10.24 10:42, Sedat Dilek wrote:
> >>>> On Thu, Oct 10, 2024 at 10:29 AM Sedat Dilek <sedat.dilek@...il.com> wrote:
> >>>>> On Thu, Oct 10, 2024 at 10:19 AM Thorsten Leemhuis <linux@...mhuis.info> wrote:
> >>>>>> On 10.10.24 09:00, Thorsten Leemhuis wrote:
> >>
> >>> P.S.: Vegard Nossum mentioned in the fediverse that I could also solve
> >>> the problem the patch is about by adding "default MODULE_SIG_SHA512" to
> >>> the "choice" section; haven't tried that, but that sounds like a better
> >>> solution. Will likely give it a try, unless someone brings up unwanted
> >>> side effects this might cause.
> >>
> >> Yes, that would be a much better way to change the default. Overall,
> >> moving away from SHA-1 seems like a good idea and SHA-512 feels like a
> >> reasonable choice. Luis, do you see any issues with changing the
> >> default here?
> > 
> > So, how do I make such a default choice work without breaking the
> > current magic, which looks like this:
> > [...]
> 
> Ignore that, I was missing something obvious and got mislead by my
> brain, sorry for the noise. Will send a updated patch in a few days to
> give Luis and others a chance to raise objections reg. switching to SHA512.

The commmit log goes something like this:

Fix build by switching to sha512 by default.

The commit log should be imperative about the crap show issue without
the build considerations. Beat down the current default, call it names,
give URLs to back it up. You "noticed" this issue because the build
fails.

  Luis

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ