[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] SHA- collision found
From: |
Hendrik Boom |
Subject: |
Re: [Monotone-devel] SHA- collision found |
Date: |
Sun, 26 Feb 2017 19:27:50 -0500 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Sat, Feb 25, 2017 at 12:52:14AM -0500, grarpamp wrote:
> To be in some relative perspective, there are probably lot
> more fixes, updates, and developments to do for monotone
> more important than immediate practicality of sha1 attack
> this very moment. So all those can come as can be made :)
At least one source repository has been completely corrupted by adding
two pdf's with the same SHA1 hashes. Granted, it was a Subversion
repository (for Webkit) and not monotone, but the problem may be
urgent and important.
https://soylentnews.org/article.pl?sid=17/02/26/1724226
How to fix?
(1) start using a better hash code for all new files we commit, so
that no *new* files will cause a conflict if there isn't already on
ein the data base.
(2) provide a mechanism for recertifying all the old changes. Perhaps
a second-order certificate that certifies all the old certificates s
being valid. This would at least be a bit of a mess, because old
repositories will have both hashes -- old hashes for old changes and
new ones for new files.
Or is there a valid way of rehashing and recertifying everything and
starting afresh with a completely new database?
-- hendrik