Re: [RFC PATCH v1] module: sign with sha512 by default to avoid build errors
From: Luis Chamberlain
Date: Fri Oct 11 2024 - 19:15:24 EST
On Fri, Oct 11, 2024 at 02:00:47PM +0200, Thorsten Leemhuis wrote:
> On 11.10.24 12:27, Thorsten Leemhuis wrote:
> > On 10.10.24 17:52, Sami Tolvanen wrote:
> > Thx for your feedback!
> >> On Thu, Oct 10, 2024 at 1:57 AM Thorsten Leemhuis <linux@xxxxxxxxxxxxx> wrote:
> >>> On 10.10.24 10:42, Sedat Dilek wrote:
> >>>> On Thu, Oct 10, 2024 at 10:29 AM Sedat Dilek <sedat.dilek@xxxxxxxxx> wrote:
> >>>>> On Thu, Oct 10, 2024 at 10:19 AM Thorsten Leemhuis <linux@xxxxxxxxxxxxx> wrote:
> >>>>>> On 10.10.24 09:00, Thorsten Leemhuis wrote:
> >>
> >>> P.S.: Vegard Nossum mentioned in the fediverse that I could also solve
> >>> the problem the patch is about by adding "default MODULE_SIG_SHA512" to
> >>> the "choice" section; haven't tried that, but that sounds like a better
> >>> solution. Will likely give it a try, unless someone brings up unwanted
> >>> side effects this might cause.
> >>
> >> Yes, that would be a much better way to change the default. Overall,
> >> moving away from SHA-1 seems like a good idea and SHA-512 feels like a
> >> reasonable choice. Luis, do you see any issues with changing the
> >> default here?
> >
> > So, how do I make such a default choice work without breaking the
> > current magic, which looks like this:
> > [...]
>
> Ignore that, I was missing something obvious and got mislead by my
> brain, sorry for the noise. Will send a updated patch in a few days to
> give Luis and others a chance to raise objections reg. switching to SHA512.
The commmit log goes something like this:
Fix build by switching to sha512 by default.
The commit log should be imperative about the crap show issue without
the build considerations. Beat down the current default, call it names,
give URLs to back it up. You "noticed" this issue because the build
fails.
Luis