On 19/10/2016 02:45, K. Fossil user wrote:
> Hi,
>
> 1/ Does Fossil use SHA1 ?
> Oo
> Too bad if it is.
> At least I expect that we've got a choice : sha256, sha512, etc. ...
from https://en.wikipedia.org/wiki/SHA-1#Data_integrity

Revision control <https://en.wikipedia.org/wiki/Revision_control>
systems such as Git <https://en.wikipedia.org/wiki/Git_%28software%29>
and Mercurial <https://en.wikipedia.org/wiki/Mercurial> use SHA-1 not
for security but for ensuring that the data has not changed due to
accidental corruption. Linus Torvalds
<https://en.wikipedia.org/wiki/Linus_Torvalds> said about Git:

    If you have disk corruption, if you have DRAM corruption, if you
    have any kind of problems at all, Git will notice them. It's not a
    question of /if/, it's a guarantee. You can have people who try to
    be malicious. They won't succeed. [...] Nobody has been able to
    break SHA-1, but the point is the SHA-1, as far as Git is concerned,
    isn't even a security feature. It's purely a consistency check. The
    security parts are elsewhere, so a lot of people assume that since
    Git uses SHA-1 and SHA-1 is used for cryptographically secure stuff,
    they think that, Okay, it's a huge security feature. It has nothing
    at all to do with security, it's just the best hash you can get. [...]
    I guarantee you, if you put your data in Git, you can trust the fact
    that five years later, after it was converted from your hard disk to
    DVD to whatever new technology and you copied it along, five years
    later you can verify that the data you get back out is the exact
    same data you put in. [...]
    One of the reasons I care is for the kernel, we had a break in on
    one of the BitKeeper sites where people tried to corrupt the kernel
    source code repositories.^[18]
    <https://en.wikipedia.org/wiki/SHA-1#cite_note-18> However Git does
    not require the second preimage resistance
    <https://en.wikipedia.org/wiki/Second_preimage_resistance> of SHA-1
    as a security feature, since it will always prefer to keep the
    earliest version of an object in case of collision, preventing an
    attacker from surreptitiously overwriting files.^[19]
    <https://en.wikipedia.org/wiki/SHA-1#cite_note-19> 


Better question can be, how fossil manage collisions?

Best regards

_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Reply via email to