[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] Git's usage of SHA1
From: |
Markus Wanner |
Subject: |
Re: [Monotone-devel] Git's usage of SHA1 |
Date: |
Tue, 9 Feb 2016 17:28:16 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 |
Hi,
On 02/08/2016 07:52 PM, grarpamp wrote:
> A long thread on the below list with the above subject (that SHA1
> is more or less broken and should be proactively replaced along
> the lines of other general global movements off of SHA1) mentioned
> the snippet below. The same subject should be given consideration
> in monotone as well.
I agree and have thought about teaching monotone to use other hash
functions. There's no need to rush, though. I'd rather like to think
this through well.
OTOH at the current rate of development, we better hurry up a bit. ;-)
> https://lists.sonic.net/mailman/private/crypto-practicum/2016q1/thread.html
No access.
> Also, historically speaking git's usage of SHA1 almost certainly came
> from monotone (monotone.ca), which Linus used as inspiration for git.
Yes.
> They still use SHA1, but it sounds like it would be much easier to
> replace there than in git.
I cannot speak for git, but I've already tried in monotone and it's not
trivial, either.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813157
Sounds like an entirely different issue. Monotone took the conservative
approach, here, and has always checked everything it receives via the
network.
> https://git.wiki.kernel.org/index.php/LinusTalk200705Transcript
Here, Linus' argument is that git only uses SHA-1 as a consistency
check, not for security. (I haven't checked how git's OpenPGP
integration works.)
That's certainly not the case for monotone, where certs reference the
revision id (a sha-1 hash).
> https://github.com/jayphelps/git-blame-someone-else
WTF is that? You're not trying to blame monotone for git's usage of
SHA-1, are you?
Kind Regards
Markus Wanner