[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SHA1 collisions became cheaper to create.

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Wed, 15 May 2019 12:54:15 +0000

Paul Hammant wrote on Wed, 15 May 2019 12:39 +00:00:
> I'm suggesting phasing out SHA1, and during a v1.x to v1.x+1 upgrade
> do a migration script for all content to gain (say) BLAKE2 hashes
> *instead*, and for that install, client's with incompatible hashing
> are rejected.
> There are alternates too, where up to a moment in time a repo has
> SHA1s, and thence after has some other algo.

Hold your horses. *Why* are you proposing to phase out sha1?

For example, is it out of general concerns that a cheap preimage attack
will be discovered before long? Or do you see a specific way to use the
new attack against working copies or repositories? Or something else?

Once we've established that, we can discuss *what* to do... but you're
getting ahead of yourself by discussing *how* to phase off sha1 before
we understand *that* (arguendo) that's the right course of action.


Received on 2019-05-15 14:54:26 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.