bug#44187: Channel clones lack SWH fallback

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#44187: Channel clones lack SWH fallback

From:	zimoun
Subject:	bug#44187: Channel clones lack SWH fallback
Date:	Mon, 20 Sep 2021 11:27:32 +0200

Hi,

On Sat, 18 Sept 2021 at 23:10, Ludovic Courtès <ludo@gnu.org> wrote:
> zimoun <zimon.toutoune@gmail.com> skribis:

> > and after more than 12h, the status is still: «SWH vault: Processing...»
> > and nothing is complete.
>
> Did it eventually succeed?  We obviously have no guarantee as to how
> long it might take to cook a bundle.

No, I stopped.  And I reported to #swh-devel.  It might be something
wrong on their side.
Yeah, cook a bundle could be long... especially with large repo as
Guix (lot of commits and couple of files).
I think it is ok to let the code as it is now.


> >> *Third, and this answers the asterisk above, we must keep in mind that
> >> this is content-addressibility *with SHA1*.  Generating a chosen-prefix
> >> collision is becoming affordable³, so users absolutely need an additional
> >> mechanism to authenticate code they fetched.
>
> [...]
>
> > How a chosen-prefix attack could work here?  I understand why the second
> > preimage attack is an issue.  But I miss how the SHA-1 chosen-prefix attack
> > could be exploited here to compromise the user, because this hash is 
> > provided
> > by this very same user.
>
> I think you’re right, it’s rather second-preimage attacks that would be
> a serious problem.  My point is: as time passes, assuming that a SHA1
> resolves to a single revision on SWH is becoming more and more
> questionable.

Well, SHA-1 is 2^160 (~10^48.2) and compared to 10^50 which is the
estimated number of atoms in Earth.  Speaking about
content-addressability, SHA-1 seems fine.  However, for security, yeah
time flies. :-)


> >>   swh: Support downloads of bare Git repositories.
> >>   git: 'update-cached-checkout' can fall back to SWH when cloning.
> >>   git: 'reference-available?' recognizes 'tag-or-commit'.
>
> I’ve pushed this after adding the warning as you suggested:
>
>   dce2cf311b * git: 'reference-available?' recognizes 'tag-or-commit'.
>   05f44c2d85 * git: 'update-cached-checkout' can fall back to SWH when 
> cloning.
>   6ec81c31c0 * swh: Support downloads of bare Git repositories.

Cool!  I would deserve a --news entry. ;-)

Cheers,
simon

[Prev in Thread]

Current Thread

[Next in Thread]

bug#44187: [PATCH 2/3] git: 'update-cached-checkout' can fall back to SWH when cloning., (continued)
- bug#44187: [PATCH 2/3] git: 'update-cached-checkout' can fall back to SWH when cloning., Ludovic Courtès, 2021/09/10
- bug#44187: [PATCH 3/3] git: 'reference-available?' recognizes 'tag-or-commit'., Ludovic Courtès, 2021/09/10
- bug#44187: [PATCH 1/3] swh: Support downloads of bare Git repositories., Ludovic Courtès, 2021/09/10
  - bug#44187: Channel clones lack SWH fallback, zimoun, 2021/09/17
    - bug#44187: Channel clones lack SWH fallback, Ludovic Courtès, 2021/09/18
    - bug#44187: Channel clones lack SWH fallback, zimoun, 2021/09/18
- bug#44187: [PATCH 0/3] Fall back to Software Heritage (SWH) for Git clones, zimoun, 2021/09/13
  - bug#44187: [PATCH 0/3] Fall back to Software Heritage (SWH) for Git clones, Ludovic Courtès, 2021/09/14
- Message not available
  - bug#44187: Channel clones lack SWH fallback, zimoun, 2021/09/17
    - bug#44187: Channel clones lack SWH fallback, Ludovic Courtès, 2021/09/18
    - bug#44187: Channel clones lack SWH fallback, zimoun <=
    - bug#44187: Channel clones lack SWH fallback, Ludovic Courtès, 2021/09/22

Prev by Date: bug#50566: [core-updates-frozen] Grub fails to decrypt LUKS partition (cryptomount not found)
Next by Date: bug#50696: [core-updates-frozen] Wrong output hashes computed since cb06f7c61e4b839
Previous by thread: bug#44187: Channel clones lack SWH fallback
Next by thread: bug#44187: Channel clones lack SWH fallback
Index(es):
- Date
- Thread