Re: [Scons-dev] Hashes

2017-10-26 Thread Bill Deegan 
Indeed.
SCons is not(currently) in the business of providing security assured
builds.
(Nor as far as I know is any other build system, though I keep finding new
ones I'd never heard of or that are getting released to the public from
being strictly internal tools (google..))

Just correct builds.
(If someone wants to intentionally break it, then that will work.)

On Thu, Oct 26, 2017 at 5:07 AM, Daniel Holth  wrote:

> blake2 is supposed to be very fast, faster than md5. It would probably
> break the 'scons uses stdlib only' rule though. https://blake2.net/
>
> I assume to break scons you would have to update the same filename with
> its md5 collision [while keeping the timestamps the same]?
>

And file size..


> People have tried to put sha1 collisions in their git repositories as test
> input only to find that git breaks. They can cause mischief.
>
> On Thu, Oct 26, 2017 at 10:00 AM Jonathon Reinhart <
> jonathon.reinh...@gmail.com> wrote:
>
>> I believe you will never encounter an accidental MD5 collision in the way
>> that SCons uses it. [1] All of the MD5 collisions being publicized are
>> intentional; leveraging a chosen-prefix attack. Does SCons really care to
>> address the case where someone is intentionally generating collisions? I
>> imagine not.
>>
>> MD5 is still the fastest general-purpose hashing algorithm [2]. So I so
>> reason for SCons to worry about changing hash algorithms.
>>
>> Jonathon Reinhart
>>
>> [1]: https://stackoverflow.com/a/937798/119527
>> [2]: https://stackoverflow.com/a/2723941/119527
>>
>>
>> On Thu, Oct 26, 2017 at 7:58 AM, Russel Winder 
>> wrote:
>>
>>> I may just be out of date: is SCons using MD5 for hashing?
>>>
>>> Clearly SCons is not that interested in security or true persistence
>>> level hashing, but given the issue of clashing might MD5 now not be
>>> useful?
>>>
>>> --
>>> Russel.
>>> 
>>> =
>>> Dr Russel Winder  t: +44 20 7585 2200   voip:
>>> sip:russel.win...@ekiga.net
>>> 41 Buckmaster Roadm: +44 7770 465 077   xmpp: rus...@winder.org.uk
>>> London SW11 1EN, UK   w: www.russel.org.uk  skype: russel_winder
>>> ___
>>> Scons-dev mailing list
>>> Scons-dev@scons.org
>>> https://pairlist2.pair.net/mailman/listinfo/scons-dev
>>>
>>>
>> ___
>> Scons-dev mailing list
>> Scons-dev@scons.org
>> https://pairlist2.pair.net/mailman/listinfo/scons-dev
>>
>
> ___
> Scons-dev mailing list
> Scons-dev@scons.org
> https://pairlist2.pair.net/mailman/listinfo/scons-dev
>
>
___
Scons-dev mailing list
Scons-dev@scons.org
https://pairlist2.pair.net/mailman/listinfo/scons-dev

Re: [Scons-dev] Hashes

2017-10-26 Thread Daniel Holth 
blake2 is supposed to be very fast, faster than md5. It would probably
break the 'scons uses stdlib only' rule though. https://blake2.net/

I assume to break scons you would have to update the same filename with its
md5 collision [while keeping the timestamps the same]?

People have tried to put sha1 collisions in their git repositories as test
input only to find that git breaks. They can cause mischief.

On Thu, Oct 26, 2017 at 10:00 AM Jonathon Reinhart <
jonathon.reinh...@gmail.com> wrote:

> I believe you will never encounter an accidental MD5 collision in the way
> that SCons uses it. [1] All of the MD5 collisions being publicized are
> intentional; leveraging a chosen-prefix attack. Does SCons really care to
> address the case where someone is intentionally generating collisions? I
> imagine not.
>
> MD5 is still the fastest general-purpose hashing algorithm [2]. So I so
> reason for SCons to worry about changing hash algorithms.
>
> Jonathon Reinhart
>
> [1]: https://stackoverflow.com/a/937798/119527
> [2]: https://stackoverflow.com/a/2723941/119527
>
>
> On Thu, Oct 26, 2017 at 7:58 AM, Russel Winder 
> wrote:
>
>> I may just be out of date: is SCons using MD5 for hashing?
>>
>> Clearly SCons is not that interested in security or true persistence
>> level hashing, but given the issue of clashing might MD5 now not be
>> useful?
>>
>> --
>> Russel.
>>
>> =
>> Dr Russel Winder  t: +44 20 7585 2200   voip:
>> sip:russel.win...@ekiga.net
>> 41 Buckmaster Roadm: +44 7770 465 077   xmpp: rus...@winder.org.uk
>> London SW11 1EN, UK   w: www.russel.org.uk  skype: russel_winder
>> ___
>> Scons-dev mailing list
>> Scons-dev@scons.org
>> https://pairlist2.pair.net/mailman/listinfo/scons-dev
>>
>>
> ___
> Scons-dev mailing list
> Scons-dev@scons.org
> https://pairlist2.pair.net/mailman/listinfo/scons-dev
>
___
Scons-dev mailing list
Scons-dev@scons.org
https://pairlist2.pair.net/mailman/listinfo/scons-dev

Re: [Scons-dev] Hashes

2017-10-26 Thread Jonathon Reinhart 
I believe you will never encounter an accidental MD5 collision in the way
that SCons uses it. [1] All of the MD5 collisions being publicized are
intentional; leveraging a chosen-prefix attack. Does SCons really care to
address the case where someone is intentionally generating collisions? I
imagine not.

MD5 is still the fastest general-purpose hashing algorithm [2]. So I so
reason for SCons to worry about changing hash algorithms.

Jonathon Reinhart

[1]: https://stackoverflow.com/a/937798/119527
[2]: https://stackoverflow.com/a/2723941/119527

On Thu, Oct 26, 2017 at 7:58 AM, Russel Winder  wrote:

> I may just be out of date: is SCons using MD5 for hashing?
>
> Clearly SCons is not that interested in security or true persistence
> level hashing, but given the issue of clashing might MD5 now not be
> useful?
>
> --
> Russel.
> 
> =
> Dr Russel Winder  t: +44 20 7585 2200   voip:
> sip:russel.win...@ekiga.net
> 41 Buckmaster Roadm: +44 7770 465 077   xmpp: rus...@winder.org.uk
> London SW11 1EN, UK   w: www.russel.org.uk  skype: russel_winder
> ___
> Scons-dev mailing list
> Scons-dev@scons.org
> https://pairlist2.pair.net/mailman/listinfo/scons-dev
>
>
___
Scons-dev mailing list
Scons-dev@scons.org
https://pairlist2.pair.net/mailman/listinfo/scons-dev

[Scons-dev] Hashes

2017-10-26 Thread Russel Winder 
I may just be out of date: is SCons using MD5 for hashing?

Clearly SCons is not that interested in security or true persistence
level hashing, but given the issue of clashing might MD5 now not be
useful?

-- 
Russel.
=
Dr Russel Winder  t: +44 20 7585 2200   voip: sip:russel.win...@ekiga.net
41 Buckmaster Roadm: +44 7770 465 077   xmpp: rus...@winder.org.uk
London SW11 1EN, UK   w: www.russel.org.uk  skype: russel_winder

signature.asc
Description: This is a digitally signed message part
___
Scons-dev mailing list
Scons-dev@scons.org
https://pairlist2.pair.net/mailman/listinfo/scons-dev