After you've changed the editor API, the wc_entry_t structure,
migrated all old clients over to svn_checksum_t, and then switched the
storage defaults over to sh1, *then* we can talk about "an easy
The simple fact is that we're going to be running around with md5
checksums in hand for a long while. OR we double-compute, and I'm not
willing to burn that much CPU to satisfy somebody's misguided
preconception about md5 collisions. And double-compute generally means
that we *carry around* both checkums. You wanna update all the APIs
for that, too?
And before you start all of the above, please describe the failure mode?
As I see it, Alice chooses FOO.C to be her prefix. So she appends some
code to the end, then she adds a second file with the same FOO.C
prefix, and then adds some *different* code to the end, which Alice
knows to generate an MD5 collision. The working copy then proceeds to
NOT install the second file since it thinks it already has it. Thus,
Alice ends up with two copies of FOO.C + one suffix.
Is there a different failure mode that you're "protecting" (ahem) against?
On Tue, Oct 21, 2008 at 7:01 PM, Hyrum K. Wright
> Greg Stein wrote:
>> There is a HUGE difference between constructing two files with the
>> same md5 in order to falsify a signature, and that of two files in a
>> repository having the same md5 hash by accident.
>> Sit down and look at the odds. 1 in 2^128. If I understand my powers
>> of two properly, I believe that means the earth is more likely to
>> spontaneously explode, than for two files to have the same hash key.
> I'm not concerned about *random* collisions. I'm concerned about malicious
> committers (or attackers who compromise a comitter's account). In that case, it
> becomes the same as constructing two files with the same md5 to falsify a signature.
> The other way to look at this is cost vs. benefit. Changing to sha1 has minimal
> cost, especially with the new checksum infrastructure. While some may claim
> that the benefits are equally minimal, others would feel more comfortable if we
> used sha1 in the rep cache table. I think that's a reasonable compromise.
>> On Tue, Oct 21, 2008 at 3:57 PM, David Glasser <glasser_at_davidglasser.net> wrote:
>>> As far as I can tell from reading the source, this (at least in FSFS)
>>> assumes that reps sharing the same md5 are the same file. (BDB seems
>>> to use sha1.)
>>> This means that you cannot store two files with the same md5 in the
>>> same repository. While obviously all hashes have collisions in
>>> theory, md5 has collisions in practice: there are known instances.
>>> And you know, cryptography researchers use Subversion! (At one point
>>> I tried to help fix Ron Rivest's corrupted svn repo...) I do not
>>> think that this limitation is appropriate for Subversion; I would
>>> highly advise against releasing this without changing FSFS to use SHA
>>> as well. (I can't find a mailing-list discussion of this choice; my
>>> apologies if I missed one, I have admittedly been not paying as much
>>> attention as I'd like to Subversion development recently.)
>>> On Mon, Oct 6, 2008 at 8:59 PM, Hyrum K. Wright
>>> <hyrum_wright_at_mail.utexas.edu> wrote:
>>>> The fs-rep-sharing branch is functionally complete, and I'd like to get the
>>>> branch merged to trunk soon. These are the stats for various copies of of our
>>>> repository for the different branch/backend combinations.
>>>> BDB: 1.5: 1.4GB
>>>> trunk: 627MB
>>>> reps-shared: 490MB
>>>> FSFS: 1.5: 586MB
>>>> trunk: 578MB
>>>> reps-shared: 523MB
>>>> The effect is quite pronounced on BDB, with around a 20% space savings compared
>>>> with our current trunk (and over 67% compared with 1.5!) FSFS doesn't show as
>>>> much improvement, partly due to the size of the index required to enable
>>>> rep-sharing, partly due to decreased sharing opportunities in same-revision and
>>>> parallel revision objects, and mostly due to the absolute floor on repo size due
>>>> to inode usage.
>>>> We may be able to tune the FSFS implementation just a bit. For instance, it may
>>>> not be likely that directory content representations are likely to be shared, in
>>>> which case we shouldn't bother
>>>> The remaining issue is the failing blame tests. Blame tests 10 and 11, which
>>>> test 'blame -g', both fail for both backends. Before the recent commits to add
>>>> rep-sharing to fsfs, the tests only failed for bdb. I'm slightly puzzled here
>>>> because 'blame -g' should be FS-agnostic. If anybody has some insight, I
>>>> welcome it.
>>>> [Note: Because SQLite is still not an official dependency, to compile the
>>>> rep-sharing stuff with FSFS, you'll need to add -DENABLE_SQLITE_TESTING to the
>>>> CPPFLAGS when configuring.]
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-10-22 05:06:11 CEST