re switching hashes. Do we have any perf comparisons for MD5 vs SHA-256 in general and in SCons? While I think adding SHA-256 has value, I'd be hesitant to make it the default and/or remove MD5. Also there needs to be a reasonable solution to (de)serializing which hash is used to sconsign.
On Mon, Dec 9, 2019 at 1:34 PM Mats Wichmann <m...@wichmann.us> wrote: > > > 2.1.3 Changes Needed To Bazel Remote Cache Server > > > > Currently the Bazel remote cache server only supports SHA-256 for > requests (e.g. GET http://bazel-cache.corp.int/cache/ac/<sha_256_hash>), > while SCons by default uses MD5. As part of this project, VMware will be > contributing code to the upstream Bazel remote cache server project to > support MD5 and SHA-1. We have received confirmation from the project > maintainer that (1) it is acceptable to do this and (2) no prefix is needed > for these alternative hashing formats. As a result, the requests SCons > would make would be of the form > http://bazel-cache.corp.int/cache/ac/<md5_hash> > or http://bazel-cache.corp.int/cache/ac/<sha1_hash>. As mentioned before, > see the Threat Modeling section at the end of this page for more discussion > on hash formats. > > I'm not sure we should actually further push md5. While it's not > intended to be used for security purposes (and yes I read the section on > that), we've already run into users who are not allowed to use it no > matter what (there's a pending patch to failover to sha1 to address one > of those users' concerns)... and there are fast algorithms in the SHA-2 > family as well as ones that didn't quite make the SHA-3 choice (namely, > Blake) which are quite fast on Python. It may be time to transition? > > _______________________________________________ > Scons-dev mailing list > Scons-dev@scons.org > https://pairlist2.pair.net/mailman/listinfo/scons-dev >
_______________________________________________ Scons-dev mailing list Scons-dev@scons.org https://pairlist2.pair.net/mailman/listinfo/scons-dev
