[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: dangerous implementation of rep-sharing cache for fsfs

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Fri, 25 Jun 2010 17:37:44 +0300 (Jerusalem Daylight Time)

Mark Mielke wrote on Fri, 25 Jun 2010 at 17:15 -0000:
> There are many widely used systems that rely on statistical improbability.

Public-key encryption is another example. (You always assume that if
someone else runs 'gpg --gen-key' they won't get *your* secret key by
chance.)

> Michael: Feel free to show a *real* repository where rep-sharing cache has
> caused a corruption due to use of SHA-1.

By the way. Let's assume for a moment that we had a collision; namely,
two representations (as defined in libsvn_fs_fs/structure) that have the
same length, offset (into the rev file), fulltext-length and
fulltext-sha1.

What is the probability that, the next time you run 'checkout' or 'update'
that touches the collided file, you won't get errors (either checksum
errors[1] from Subversion or semantic errors when you try to use the file
(which will be mis-reconstructed by the rep-sharing-ful fsfs))?

Daniel
('svnadmin verify' wouldn't complain, I think)

[1] The on-the-wire transmission uses md5, IIRC. (Hyrum?)
Received on 2010-06-25 16:37:24 CEST

This is an archived mail posted to the Subversion Dev mailing list.