Matt McCutchen wrote:
> "Broken" in the past tense is inaccurate: no SHA-1 collision has been
> published yet. I would like to see DVCSes switch to a stronger hash
> algorithm sooner rather than later, but it's not enough of a concern
> that I would avoid using them. If it makes you feel any better, git
> will not allow a fetched object to replace a local one with the same
> hash, so you can only lose if you fetch from the attacker first.
I'm not talking about intentional collisions, I'm talking about accidental
collisions, which ALL hash algorithms are vulnerable to, no matter how
strong. Hashes are inherently non-injective and mathematically CANNOT be
otherwise. Now the probability of an accidental collision is very low, but
it is not zero, so the algorithm is unreliable. And low probabilities add up
the more projects use DVCSes. Sooner or later some project will be hit by a
collision.
And the shorter the hash, the more likely a collision (exponentially!), so
the "abbreviated hashes" git uses are particularly collision-prone.
> For sequential commit numbering, try "git describe".
Nobody actually uses those numbers though (and in fact I doubt those numbers
can be used in all the ways SVN revision IDs can be used). What everyone
uses is hashes, leaving you to wonder whether deadbeef or c0cac01a is the
newer revision (assuming that both are snapshots from master or at least
from the same branch, which is usually the case when comparing 2 packaged
snapshots).
> The problems with CVS were amply explained there, but it's less clear to
> me whether there were compelling reasons to choose git over (e.g.) SVN +
> git-svn or the people involved just happened to like distributed version
> control, as I do.
Sure they do, but the problem is that they're FORCING their preference onto
everyone, whereas using SVN would have allowed them to work their way (using
SVK or git-svn) without breaking our workflow, and SVN has all the required
features (e.g. atomic commits and thus repository-wide revision IDs).
Sadly, more and more projects are getting infected by the git virus, KDE is
also moving to git, several other upstream projects already did. :-(
Kevin Kofler
--
devel mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/devel
