On Tue, Apr 4, 2017 at 11:33 AM, Stefan Sperling <stsp_at_elego.de> wrote:
> On Mon, Feb 20, 2017 at 09:05:25AM +0100, Bert Huijben wrote:
>> This code is still in trunk without any of the discussed improvements, so
>> this change is currently part of 1.10.0-alpha1.
>>
>> If we don't implement the improvements I think we should check if we want
>> to revert to the 1.0-1.9 behavior before we really look at releasing 1.10.
>>
>> See discussion below
>>
>> Bert
>
> I think the proposed approach as implemented on trunk can no longer be
> considered viable, unfortunately, because of this step:
>
>> > >>> 4. Calculate SHA-1 checksum of detranslated contents of working file
>> > >>> and compare it with pristine's checksum stored in wc.db.
>
> Given that the SHA1 collision problem is real, we are now trying to stop
> relying on hashes to compare content. So it does not make sense to add
> new code which relies on hashes in this way, in my opinion.
>
> It seems that using SHA1 to compare content is key to the proposed approach.
> If that is correct, then I don't agree with releasing 1.10 with this feature
> and I would be in favour of reverting this change.
>
> Ivan, do you have any further comments on this thread? You have remained
> silent for quite some time now :(
Where are we with this? Seems the consensus is to revert r1759233 to
not further increase our reliance on sha1? Or is there still a way to
keep r1759233 in some way, and improve it to make the sha1 test
"sensitive but not specific", like danielsh proposed?
Ivan?
--
Johan
Received on 2017-05-09 13:22:09 CEST