Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

  Regards K. De : Warren Young <war...@etr-usa.com> À : Fossil SCM user's discussion <fossil-users@lists.fossil-scm.org> Envoyé le : Lundi 27 février 2017 18h10 Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision On Feb 26,

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On 2/27/17, Warren Young wrote: > On Feb 26, 2017, at 2:58 PM, Stephan Beal wrote: >> >> just FYI, Linus' own words on the topic, posted yesterday: >> >> https://plus.google.com/u/0/+LinusTorvalds/posts/7tp2gYWQugL > > Point #1 misses the fact that

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Feb 26, 2017, at 2:58 PM, Stephan Beal wrote: > > just FYI, Linus' own words on the topic, posted yesterday: > > https://plus.google.com/u/0/+LinusTorvalds/posts/7tp2gYWQugL Point #1 misses the fact that people *do* rely on Git hashes for security. Maybe they’re not

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Feb 26, 2017, at 2:34 PM, Richard Hipp wrote: > > On 2/23/17, Warren Young wrote: >> >> I think Fossil is in a much better position to do this sort of migration >> than, say, Git, due to its semi-centralized nature. > > it is reasonable to argue that

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Feb 26, 2017, at 2:04 PM, Ron W wrote: > > From: Warren Young > > > The PHC scheme would allow Fossil to migrate to something stronger in a > > backwards-compatible fashion: > > The PHC scheme is conceptually good, but is not friendly for use by

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

 : Stephan Beal <sgb...@googlemail.com> À : Fossil SCM user's discussion <fossil-users@lists.fossil-scm.org> Envoyé le : Dimanche 26 février 2017 21h58 Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision On Sun, Feb 26, 2017 at 10:34 PM, Richard

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Sun, Feb 26, 2017 at 10:34 PM, Richard Hipp wrote: > And in any event, I don't think centralization is a factor here. > Fossil is better positioned than Git or Mercurial to transition to a > different hash algorithm because the Fossil implementation uses a > relational

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On 2/23/17, Warren Young wrote: > > I think Fossil is in a much better position to do this sort of migration > than, say, Git, due to its semi-centralized nature. Though they are technically distinct, in the minds of many users Git and GitHub are the same thing. And GitHub

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Thu, Feb 23, 2017 at 11:23 PM, wrote: > > Date: Fri, 24 Feb 2017 04:23:06 + (UTC) > From: "K. Fossil user" > To: Fossil SCM user's discussion > Subject: > 2/ semi? > > > « I

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Thu, Feb 23, 2017 at 7:02 PM, <fossil-users-requ...@lists.fossil-scm.org> wrote: > > Date: Thu, 23 Feb 2017 17:01:56 -0700 > From: Warren Young <war...@etr-usa.com> > Subject: Re: [fossil-users] Google Security Blog: Announcing the first > SHA1 collision >

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Fri, Feb 24, 2017 at 5:54 PM, <fossil-users-requ...@lists.fossil-scm.org> wrote: > > Date: Fri, 24 Feb 2017 20:38:48 +0100 > From: Joerg Sonnenberger <jo...@bec.de> > Subject: Re: [fossil-users] Google Security Blog: Announcing the first > SHA1 collision >

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Fri, Feb 24, 2017 at 03:54:56PM -0700, Warren Young wrote: > On Feb 24, 2017, at 10:37 AM, Joerg Sonnenberger wrote: > > > > On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote: > >> But now we have new data. > >> Before, this sort of attack was theoretical only. Now

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On 2/23/2017 4:01 PM, Warren Young wrote: The PHC scheme would allow Fossil to migrate to something stronger in a backwards-compatible fashion: https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md That is, if the hash argument in the F, P, and Q cards is not 40

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Feb 24, 2017, at 10:37 AM, Joerg Sonnenberger wrote: > > On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote: >> But now we have new data. >> Before, this sort of attack was theoretical only. Now it’s not only >> proven possible, it is already within the ROI budget for

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Fri, Feb 24, 2017 at 10:32:20AM -0800, bch wrote: > Are you saing: > > contenthash = sha256(content); > identifier = sha256 (contenthash . blobtype . conentsize . content); > > "blobtype" == cardtype ? Yes. Joerg ___ fossil-users mailing list

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

Are you saing: contenthash = sha256(content); identifier = sha256 (contenthash . blobtype . conentsize . content); "blobtype" == cardtype ? -bch On 2/24/17, Joerg Sonnenberger wrote: > On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote: >> Second, there will be

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote: > Second, there will be those who say we’ve covered all of this already, > multiple times. I know, I was there. But now we have new data. > Before, this sort of attack was theoretical only. Now it’s not only > proven possible, it is

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

l SCM user's discussion <fossil-users@lists.fossil-scm.org> Envoyé le : Vendredi 24 février 2017 0h01 Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision On Feb 23, 2017, at 10:50 AM, Marc Simpson <m...@0branch.com> wrote: > > This m

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

ees Nuyt <k.n...@zonnet.nl> À : fossil-us...@mailinglists.sqlite.org Envoyé le : Jeudi 23 février 2017 18h15 Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision [Default] On Thu, 23 Feb 2017 09:50:12 -0800, Marc Simpson <m...@0branch.com> wrote:

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Thu, Feb 23, 2017 at 06:12:18PM -0500, Martin Gagnon wrote: > Seems that Git can store both of them, I beleive it calculate the sha1 > on a combination of the filename and the content or something like that. No, it stores the object type first, which effectively creates a different block

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Feb 23, 2017, at 10:50 AM, Marc Simpson wrote: > > This may be of interest to some here, especially in light of previous > SHA-1 related discussions on list: > > https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Before I respond, first know that

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Thu, Feb 23, 2017 at 03:18:29PM -0800, bch wrote: [snip] > > Or more correctly, "a *subsequent* file with the same sha1 hash..." If you > happened to commit the Trojan file first, the "good" commit would have been > the one to fail. > True, but if you pull from untrusted user (or give push

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Feb 23, 2017 15:12, "Martin Gagnon" wrote: On Thu, Feb 23, 2017 at 09:50:12AM -0800, Marc Simpson wrote: > This may be of interest to some here, especially in light of previous > SHA-1 related discussions on list: > >

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

On Thu, Feb 23, 2017 at 09:50:12AM -0800, Marc Simpson wrote: > This may be of interest to some here, especially in light of previous > SHA-1 related discussions on list: > > https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html > Also, Here's a related discussion from

Re: [fossil-users] Google Security Blog: Announcing the first SHA1 collision

[Default] On Thu, 23 Feb 2017 09:50:12 -0800, Marc Simpson wrote: >This may be of interest to some here, especially in light of previous >SHA-1 related discussions on list: > > https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Interesting.