On Thu, Oct 29, 2015 at 1:37 AM, Eduard <[email protected]> wrote:
> First I propose that the use of SHA1 in Fossil is a serious problem. > This has been said at least a dozen times, and has not once been demonstrated. Show me the code. Falisify ONE artifact, and i'll believe it's a problem. The first solution is to do nothing and just tell users not to sync with > untrusted repositories. Which is a no-brainer, IMO. > Given the distributed nature of software (and > otherwise) development, I believe it is a difficult burden to impose > upon developers that all contributors always be carefully vetted, and > that third-party (web) hosting never be trusted. I feel that this also > breaks the "eternally incorruptible" promise of Fossil. > So far it's held up against everything except purely hypothetical thought experiments. > most definitely breaks older PGP clearsigned checkins (which would have > remained secure as long as SHA1 second-preimage attacks are infeasible). > The main advantage to this approach is that it is the most elegant and > easy to understand and deal with. i fail to see how changing from hash A to B makes anything more elegant or easier to understand. > The third solution is to change the Fossil specification to redefine the > artifact ID to be the concatenation of the SHA1 and BetterHash hash > digests, and allow 40 hexadecimal digit IDs as prefixes. One can show > that the preimage- and collision-resistance of this combination is at > least as good as the strongest of the two. The main advantage of this > approach is that it is not a breaking change But it's a heck of a lot of work to solve an as-yet-undemonstrated, hypothetical problem. > Please let me know your thoughts on this matter. > i stubbornly refuse to be convinced until someone demonstrates the problem. Once it's demonstrated, i'm all ears. -- ----- stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal "Freedom is sloppy. But since tyranny's the only guaranteed byproduct of those who insist on a perfect world, freedom will have to do." -- Bigby Wolf
_______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
