Thus said John Long on Wed, 28 Aug 2013 11:57:01 -0000:
> There are two "value added" things digital signing provides over
> hashing in this specific example when fossil uses SHA1. One, a person
> is taking responsibility for a commit and saying "I did this". Two,
> PGP can use much stronger hashes than SHA1. What problem are we
> trying to solve? If we're worried about detecting inadvertant data
> corruption, then SHA1 is very likely good enough.
As to your question of what problem the SHA1 is used to solve:
2.1 Identification Of Artifacts
A particular version of a particular file is called an
"artifact". Each artifact has a universally unique name which is
the SHA1 hash of the content of that file expressed as 40
characters of lower-case hexadecimal. Such a hash is referred to
as the Artifact Identifier or Artifact ID for the artifact. The
SHA1 algorithm is created with the purpose of providing a highly
forgery-resistant identifier for a file. Given any file it is
simple to find the artifact ID for that file. But given a
artifact ID it is computationally intractable to generate a file
that will have that Artifact ID.
...
Changing (or adding or removing) a single byte in a file results
in a completely different artifact ID. And since the artifact ID
is the name of the artifact, making any change to a file results
in a new artifact. In this way, artifacts are immutable.
http://www.fossil-scm.org/index.html/doc/trunk/www/concepts.wiki
Andy
--
TAI64 timestamp: 40000000521e009b
_______________________________________________
fossil-users mailing list
[email protected]
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
