I searched in phabricator, if we've a task already, but couldn't find any. However, as the phabricator search and me aren't really good friends, it's possible, that the search wasn't as honest to me, as I would wish and I missed something, so I ask on this list :) Do we've a task already to track the work on this topic? A short github search[1] showed some usages of sha1 (at least the string), so I suspect, that there're some places where we use it, right?
[1] https://github.com/wikimedia/mediawiki/search?utf8=%E2%9C%93&q=SHA1 Best, Florian -----Ursprüngliche Nachricht----- Von: Wikitech-l [mailto:[email protected]] Im Auftrag von Brion Vibber Gesendet: Freitag, 24. Februar 2017 18:57 An: Wikimedia-tech list <[email protected]> Betreff: [Wikitech-l] SHA-1 hash officially broken Google security have announced that they have a working collision attack against the SHA-1 hash: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html It's highly recommended to move to sha-256 where doable. Note that MediaWiki uses sha-1 in a number of places; in some such as revision hashes it's advisory for tools only, but in other places like deleted files (filearchive table) we use it for addressing, and should consider steps to mitigate attacks swapping in alternate files during deletion/undeletion. -- brion _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
