[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#44187: Channel clones lack SWH fallback
From: |
Ludovic Courtès |
Subject: |
bug#44187: Channel clones lack SWH fallback |
Date: |
Wed, 22 Sep 2021 12:03:32 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
zimoun <zimon.toutoune@gmail.com> skribis:
> On Sat, 18 Sept 2021 at 23:10, Ludovic Courtès <ludo@gnu.org> wrote:
[...]
>> > How a chosen-prefix attack could work here? I understand why the second
>> > preimage attack is an issue. But I miss how the SHA-1 chosen-prefix attack
>> > could be exploited here to compromise the user, because this hash is
>> > provided
>> > by this very same user.
>>
>> I think you’re right, it’s rather second-preimage attacks that would be
>> a serious problem. My point is: as time passes, assuming that a SHA1
>> resolves to a single revision on SWH is becoming more and more
>> questionable.
>
> Well, SHA-1 is 2^160 (~10^48.2) and compared to 10^50 which is the
> estimated number of atoms in Earth. Speaking about
> content-addressability, SHA-1 seems fine. However, for security, yeah
> time flies. :-)
True!
>> >> swh: Support downloads of bare Git repositories.
>> >> git: 'update-cached-checkout' can fall back to SWH when cloning.
>> >> git: 'reference-available?' recognizes 'tag-or-commit'.
>>
>> I’ve pushed this after adding the warning as you suggested:
>>
>> dce2cf311b * git: 'reference-available?' recognizes 'tag-or-commit'.
>> 05f44c2d85 * git: 'update-cached-checkout' can fall back to SWH when
>> cloning.
>> 6ec81c31c0 * swh: Support downloads of bare Git repositories.
>
> Cool! I would deserve a --news entry. ;-)
That’s a good idea, I’ve added one.
Thanks,
Ludo’.