On Wed, Oct 22, 2008 at 4:57 AM, Alan Barrett <apb_at_cequrux.com> wrote:
> On Tue, 21 Oct 2008, Greg Stein wrote:
>> The simple fact is that we're going to be running around with md5
>> checksums in hand for a long while. OR we double-compute, and I'm not
>> willing to burn that much CPU to satisfy somebody's misguided
>> preconception about md5 collisions.
>
> What "misguided preconception" did you see in David Glasser's
> description of the problem? It seems like quite a real problem to me.
That unintended collisions can occur or an attacker is going to
somehow cause problems for an svn repository by using md5 collisions
against it. That's how the discussion started (somewhat on the mailing
list, and definitely on IRC).
Later, the idea of researchers surfaced, and that they'd be trying to
store file pairs with the same hash. I grant your scenario is valid.
We *still* have all the problems that md5 is fully-intertwined in our
code. I'm still not willing to do double-checksums and kill millions
of coders for a few researchers who could simply tar their candidate
pairs together, or gzip them. Yes, that's the brutal truth :-P ... the
researchers need to use workarounds, and the millions get a fast
product.
In the future... yes, we could remove the limitation.
Cheers,
-g
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-10-22 14:34:18 CEST