Hello, I can't believe that a so called community manager (Warren) could say theses ... :D I assume that most of you have read Warren Stuff ? 1/ Hey Warren, you know nothing about security software so don't speak about it. :-|
2/ CentOS does not need any advice from you : they know their stuff.a) SHA algorithm is not an issue when it is more a test for integrity such as MD5 for files than anything else.b) You are like a kid who focuses on ONE thing when people like me are focusing in MANY things even when it comes to ONE subject.c) CentOS uses many tools to know who is sending what.You could force people to follow some procedures to be allowed to put a precise info into a specific server : Say, you can ask the guy to use SSH first to connect, and only after he could work : no GPG, nothing else needed...I don't even talk about port knocking... So they can rely on ONLY SHA1 if they want that, this is not an issue at all ! So YOUR sentence "it’ll be a problem if git.centos.org is still relying on SHA1 hashes" IS NOT RELEVANT. 3/>"Point #2 is also questionable. Torvalds is assuming that any collision attack on a Git" Really ? As I understand Fossil points (security etc) are not seriously questionable [for you] ... but Linus point is ? Are you kidding ? MY assumption is that Linus would like that a guy such as a Fossil Team guy, could understand that it is NOT that hard to make some changes with the SHA algorithm... In another word : 4/ When you say that plans are easy but execution is hard ... You miss the point.a) Plans are necessary for serious project.b) Plans done, execution is not that hard : it may take time but it is not that hard.c) Appropriate tools are needed to achieve plans in time and expectations... Serious project = Plans ! OK ? If for you SHA1 is not a serious project, then I would like you to explain it to us... :D 5/ All this said :I've noticed that there are too much details in Linus Torvald discuss. I suppose that he was thinking about guys like you Warren ?You know the guy that don't get it. :-) Regards K. De : Warren Young <war...@etr-usa.com> À : Fossil SCM user's discussion <fossil-users@lists.fossil-scm.org> Envoyé le : Lundi 27 février 2017 18h10 Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision On Feb 26, 2017, at 2:58 PM, Stephan Beal <sgb...@googlemail.com> wrote: > > just FYI, Linus' own words on the topic, posted yesterday: > > https://plus.google.com/u/0/+LinusTorvalds/posts/7tp2gYWQugL Point #1 misses the fact that people *do* rely on Git hashes for security. Maybe they’re not “supposed” to, but they do. For example, the CentOS sources are published through Git these days, rather than as a pile of potentially-signed SRPM files. This means the only assurance you have that the content checked into Git hasn’t been tampered with is that the hashes are consistent. (I randomly inspected one of their repos, and it doesn’t use GPG signed commits, so the hashes are all you’ve got.) This is adequate security today, but once bad actors can do these SHA1 attacks inexpensively, it’ll be a problem if git.centos.org is still relying on SHA1 hashes. Point #2 is also questionable. Torvalds is assuming that any collision attack on a Git checkin will be detectable because of the random noise you have to insert into both instances to make them match. Except that you don’t have to do it with random noise. Thought experiment time: Given that it is now mature technology to be able to react to a useful subset of the spoken English language either over a crappy cell phone connection or via shouting at a microphone in a canister in the next room, complete with query chaining (e.g. Google Now, Amazon Echo, etc.) how much more difficult is it to write an “AI” that can automatically generate sane-looking but harmless C code in the middle of a pile of other C code to fuzz its data bits? I have no training in AI type stuff, but I think I could do a pretty decent job just by feeding a large subset of GitHub into a Markov chain model. Now imagine what someone with training, motivation, and resources could do. Or, don't imagine. Just go read the Microsoft Research paper on DeepCoder: https://news.ycombinator.com/item?id=13720580 I suspect there are parts of the Linux kernel sources that are indistinguishable from the output of a Markov chain model. :) *Someone* allowed those patches to be checked in. As for his point #3, he just offers it without support. He says there’s a plan. Well, we have a plan, too. Plans are easy. Execution is the hard part. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users