Regards
K.
De : Warren Young <war...@etr-usa.com>
À : Fossil SCM user's discussion <fossil-users@lists.fossil-scm.org>
Envoyé le : Lundi 27 février 2017 18h10
Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1
collision
On Feb 26,
On 2/27/17, Warren Young wrote:
> On Feb 26, 2017, at 2:58 PM, Stephan Beal wrote:
>>
>> just FYI, Linus' own words on the topic, posted yesterday:
>>
>> https://plus.google.com/u/0/+LinusTorvalds/posts/7tp2gYWQugL
>
> Point #1 misses the fact that
On Feb 26, 2017, at 2:58 PM, Stephan Beal wrote:
>
> just FYI, Linus' own words on the topic, posted yesterday:
>
> https://plus.google.com/u/0/+LinusTorvalds/posts/7tp2gYWQugL
Point #1 misses the fact that people *do* rely on Git hashes for security.
Maybe they’re not
On Feb 26, 2017, at 2:34 PM, Richard Hipp wrote:
>
> On 2/23/17, Warren Young wrote:
>>
>> I think Fossil is in a much better position to do this sort of migration
>> than, say, Git, due to its semi-centralized nature.
>
> it is reasonable to argue that
On Feb 26, 2017, at 2:04 PM, Ron W wrote:
>
> From: Warren Young
>
> > The PHC scheme would allow Fossil to migrate to something stronger in a
> > backwards-compatible fashion:
>
> The PHC scheme is conceptually good, but is not friendly for use by
: Stephan Beal <sgb...@googlemail.com>
À : Fossil SCM user's discussion <fossil-users@lists.fossil-scm.org>
Envoyé le : Dimanche 26 février 2017 21h58
Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1
collision
On Sun, Feb 26, 2017 at 10:34 PM, Richard
On Sun, Feb 26, 2017 at 10:34 PM, Richard Hipp wrote:
> And in any event, I don't think centralization is a factor here.
> Fossil is better positioned than Git or Mercurial to transition to a
> different hash algorithm because the Fossil implementation uses a
> relational
On 2/23/17, Warren Young wrote:
>
> I think Fossil is in a much better position to do this sort of migration
> than, say, Git, due to its semi-centralized nature.
Though they are technically distinct, in the minds of many users Git
and GitHub are the same thing. And GitHub
On Thu, Feb 23, 2017 at 11:23 PM, wrote:
>
> Date: Fri, 24 Feb 2017 04:23:06 + (UTC)
> From: "K. Fossil user"
> To: Fossil SCM user's discussion
> Subject:
> 2/ semi?
>
> > « I
On Thu, Feb 23, 2017 at 7:02 PM, <fossil-users-requ...@lists.fossil-scm.org>
wrote:
>
> Date: Thu, 23 Feb 2017 17:01:56 -0700
> From: Warren Young <war...@etr-usa.com>
> Subject: Re: [fossil-users] Google Security Blog: Announcing the first
> SHA1 collision
>
On Fri, Feb 24, 2017 at 5:54 PM, <fossil-users-requ...@lists.fossil-scm.org>
wrote:
>
> Date: Fri, 24 Feb 2017 20:38:48 +0100
> From: Joerg Sonnenberger <jo...@bec.de>
> Subject: Re: [fossil-users] Google Security Blog: Announcing the first
> SHA1 collision
>
On Fri, Feb 24, 2017 at 03:54:56PM -0700, Warren Young wrote:
> On Feb 24, 2017, at 10:37 AM, Joerg Sonnenberger wrote:
> >
> > On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote:
> >> But now we have new data.
> >> Before, this sort of attack was theoretical only. Now
On 2/23/2017 4:01 PM, Warren Young wrote:
The PHC scheme would allow Fossil to migrate to something stronger in a
backwards-compatible fashion:
https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
That is, if the hash argument in the F, P, and Q cards is not 40
On Feb 24, 2017, at 10:37 AM, Joerg Sonnenberger wrote:
>
> On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote:
>> But now we have new data.
>> Before, this sort of attack was theoretical only. Now it’s not only
>> proven possible, it is already within the ROI budget for
On Fri, Feb 24, 2017 at 10:32:20AM -0800, bch wrote:
> Are you saing:
>
> contenthash = sha256(content);
> identifier = sha256 (contenthash . blobtype . conentsize . content);
>
> "blobtype" == cardtype ?
Yes.
Joerg
___
fossil-users mailing list
Are you saing:
contenthash = sha256(content);
identifier = sha256 (contenthash . blobtype . conentsize . content);
"blobtype" == cardtype ?
-bch
On 2/24/17, Joerg Sonnenberger wrote:
> On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote:
>> Second, there will be
On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote:
> Second, there will be those who say we’ve covered all of this already,
> multiple times. I know, I was there. But now we have new data.
> Before, this sort of attack was theoretical only. Now it’s not only
> proven possible, it is
l SCM user's discussion <fossil-users@lists.fossil-scm.org>
Envoyé le : Vendredi 24 février 2017 0h01
Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1
collision
On Feb 23, 2017, at 10:50 AM, Marc Simpson <m...@0branch.com> wrote:
>
> This m
ees Nuyt <k.n...@zonnet.nl>
À : fossil-us...@mailinglists.sqlite.org
Envoyé le : Jeudi 23 février 2017 18h15
Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1
collision
[Default] On Thu, 23 Feb 2017 09:50:12 -0800, Marc Simpson
<m...@0branch.com> wrote:
On Thu, Feb 23, 2017 at 06:12:18PM -0500, Martin Gagnon wrote:
> Seems that Git can store both of them, I beleive it calculate the sha1
> on a combination of the filename and the content or something like that.
No, it stores the object type first, which effectively creates a
different block
On Feb 23, 2017, at 10:50 AM, Marc Simpson wrote:
>
> This may be of interest to some here, especially in light of previous
> SHA-1 related discussions on list:
>
> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Before I respond, first know that
On Thu, Feb 23, 2017 at 03:18:29PM -0800, bch wrote:
[snip]
>
> Or more correctly, "a *subsequent* file with the same sha1 hash..." If you
> happened to commit the Trojan file first, the "good" commit would have been
> the one to fail.
>
True, but if you pull from untrusted user (or give push
On Feb 23, 2017 15:12, "Martin Gagnon" wrote:
On Thu, Feb 23, 2017 at 09:50:12AM -0800, Marc Simpson wrote:
> This may be of interest to some here, especially in light of previous
> SHA-1 related discussions on list:
>
>
On Thu, Feb 23, 2017 at 09:50:12AM -0800, Marc Simpson wrote:
> This may be of interest to some here, especially in light of previous
> SHA-1 related discussions on list:
>
> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
>
Also, Here's a related discussion from
[Default] On Thu, 23 Feb 2017 09:50:12 -0800, Marc Simpson
wrote:
>This may be of interest to some here, especially in light of previous
>SHA-1 related discussions on list:
>
> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Interesting.
25 matches
Mail list logo