git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: <rsbecker@nexbridge.com>
To: "'Hans Petter Selasky'" <hps@selasky.org>, <git@vger.kernel.org>
Subject: RE: Gitorious should use CRC128 / 256 / 512 instead of SHA-1
Date: Fri, 13 Jan 2023 09:21:56 -0500	[thread overview]
Message-ID: <009701d9275a$678416b0$368c4410$@nexbridge.com> (raw)
In-Reply-To: <446984f6-0d2e-04da-11a3-8b1481fac953@selasky.org>

On January 13, 2023 8:40 AM, Hans Petter Selasky wrote:
>On 1/13/23 14:30, Konstantin Khomoutov wrote:
>> On Fri, Jan 13, 2023 at 01:59:44PM +0100, Hans Petter Selasky wrote:
>>
>>> Currently GIT only supports cryptographic hashes for its commit tags.
>> [...]
>>
>> https://github.com/git/git/blob/9bf691b78cf906751e65d65ba0c6ffdcd9a5a1
>> 2c/Documentation/technical/hash-function-transition.txt
>>
>> It's not clear why are you referring to Gitorious in your mail's
>> subject and then talk about Git.
>>
>
>Hi,
>
>I thought that Git was short for Gitorious? My bad.
>
>The document you refer to really highlights my concerns, that a strong
>cryptographic hash algorithm is the highway to hell.
>
>Do _not_ use a cryptographic hash for Git. Use plain good old CRC hashes.
>
>Just imagine the consequences of finding child porn inside a 10-year old firmware
>binary blob in the Linux kernel. Will you just ignore it, or will you fix it?
>
>That's why I say, that it must be possible to forge the hashes by default.

I do not understand the goal of this request. If it is possible to forge hashes, then nothing in a git repository can ever be trusted. Signed content will no longer be verifiable. The whole Merkel Tree representing the commit history becomes easily corruptible by hackers and no upstream remote repository can ever be trusted - or someone's own if someone targets a repo with malware that rewrites hashes. Imagine a scenario when malware replaces a blob in a repo and then forges the hash to pretend that the replacement never occurred. Using git as a supply chain audit trail becomes impossible. This is a potential vector for ransomware invading the git ecosystem. This seems like a really fatal path to take for the product.

The advantage of how git functions is that it is possible to mirror or clone repositories, protecting from hardware errors. Repositories exist in distributed form, so there may be hundreds or thousands of copies in case someone's copy is corrupted by a disk or memory write error - so that takes hash reconstruction out of the requirement set. If the git architecture was based on a central repository model only, then this might be a reasonable request, but that is not how git works. If, for instance, a main GitHub repo is somehow corrupted, it can be repaired by a push --force or a clone from a different instance.

Unless I am missing your point.
--Randall


  reply	other threads:[~2023-01-13 14:30 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-13 12:59 Gitorious should use CRC128 / 256 / 512 instead of SHA-1 Hans Petter Selasky
2023-01-13 13:30 ` Konstantin Khomoutov
2023-01-13 13:39   ` Hans Petter Selasky
2023-01-13 14:21     ` rsbecker [this message]
2023-01-13 14:42       ` Hans Petter Selasky
2023-01-13 15:45         ` Konstantin Ryabitsev
2023-01-13 15:50           ` Hans Petter Selasky
2023-01-13 15:56             ` rsbecker
2023-01-13 16:02               ` Hans Petter Selasky
2023-01-13 15:54           ` Hans Petter Selasky
2023-01-13 16:02             ` Konstantin Ryabitsev
2023-01-13 16:06               ` Hans Petter Selasky
2023-01-13 16:18                 ` Hans Petter Selasky
2023-01-13 16:36                   ` Konstantin Ryabitsev
2023-01-13 16:44                     ` Hans Petter Selasky
2023-01-13 16:49                       ` Konstantin Ryabitsev
2023-01-13 16:51                         ` Hans Petter Selasky
2023-01-13 16:27                 ` Konstantin Ryabitsev
2023-01-13 16:30                   ` Hans Petter Selasky
2023-01-13 16:35                   ` Hans Petter Selasky
2023-01-13 16:41                     ` Konstantin Ryabitsev
2023-01-13 16:45                       ` Hans Petter Selasky
2023-01-13 15:15       ` Hans Petter Selasky
2023-01-13 17:44       ` Philip Oakley
2023-01-13 15:30     ` Konstantin Khomoutov
2023-01-13 15:39     ` Konstantin Ryabitsev
2023-01-13 13:23 Hans Petter Selasky
2023-01-14 23:59 ` brian m. carlson
2023-01-15  3:14   ` Junio C Hamano
2023-01-15 10:09   ` demerphq
2023-01-16  7:21   ` Hans Petter Selasky
2023-01-16  7:23   ` Hans Petter Selasky
2023-01-16 12:34     ` rsbecker
2023-01-16 14:01       ` Hans Petter Selasky
2023-01-16 15:06         ` Junio C Hamano
2023-01-15 13:53 ` Michal Suchánek
2023-01-16  7:17   ` Hans Petter Selasky
2023-01-16  9:13     ` Michal Suchánek
2023-01-16  9:55       ` Hans Petter Selasky
2023-01-16 12:31         ` rsbecker
2023-01-16 14:10           ` Hans Petter Selasky
2023-01-16 19:08         ` Michal Suchánek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='009701d9275a$678416b0$368c4410$@nexbridge.com' \
    --to=rsbecker@nexbridge.com \
    --cc=git@vger.kernel.org \
    --cc=hps@selasky.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).