GNU bug report logs - #44187
Channel clones lack SWH fallback

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: zimoun <zimon.toutoune <at> gmail.com>
Cc: 44187-done <at> debbugs.gnu.org
Subject: bug#44187: Channel clones lack SWH fallback
Date: Wed, 22 Sep 2021 12:03:32 +0200

Hi,

zimoun <zimon.toutoune <at> gmail.com> skribis:

> On Sat, 18 Sept 2021 at 23:10, Ludovic Courtès <ludo <at> gnu.org> wrote:

[...]

>> > How a chosen-prefix attack could work here?  I understand why the second
>> > preimage attack is an issue.  But I miss how the SHA-1 chosen-prefix attack
>> > could be exploited here to compromise the user, because this hash is provided
>> > by this very same user.
>>
>> I think you’re right, it’s rather second-preimage attacks that would be
>> a serious problem.  My point is: as time passes, assuming that a SHA1
>> resolves to a single revision on SWH is becoming more and more
>> questionable.
>
> Well, SHA-1 is 2^160 (~10^48.2) and compared to 10^50 which is the
> estimated number of atoms in Earth.  Speaking about
> content-addressability, SHA-1 seems fine.  However, for security, yeah
> time flies. :-)

True!

>> >>   swh: Support downloads of bare Git repositories.
>> >>   git: 'update-cached-checkout' can fall back to SWH when cloning.
>> >>   git: 'reference-available?' recognizes 'tag-or-commit'.
>>
>> I’ve pushed this after adding the warning as you suggested:
>>
>>   dce2cf311b * git: 'reference-available?' recognizes 'tag-or-commit'.
>>   05f44c2d85 * git: 'update-cached-checkout' can fall back to SWH when cloning.
>>   6ec81c31c0 * swh: Support downloads of bare Git repositories.
>
> Cool!  I would deserve a --news entry. ;-)

That’s a good idea, I’ve added one.

Thanks,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.