Hi, On Sat, 18 Sept 2021 at 23:10, Ludovic Courtès <l...@gnu.org> wrote: > zimoun <zimon.touto...@gmail.com> skribis:
> > and after more than 12h, the status is still: «SWH vault: Processing...» > > and nothing is complete. > > Did it eventually succeed? We obviously have no guarantee as to how > long it might take to cook a bundle. No, I stopped. And I reported to #swh-devel. It might be something wrong on their side. Yeah, cook a bundle could be long... especially with large repo as Guix (lot of commits and couple of files). I think it is ok to let the code as it is now. > >> *Third, and this answers the asterisk above, we must keep in mind that > >> this is content-addressibility *with SHA1*. Generating a chosen-prefix > >> collision is becoming affordable³, so users absolutely need an additional > >> mechanism to authenticate code they fetched. > > [...] > > > How a chosen-prefix attack could work here? I understand why the second > > preimage attack is an issue. But I miss how the SHA-1 chosen-prefix attack > > could be exploited here to compromise the user, because this hash is > > provided > > by this very same user. > > I think you’re right, it’s rather second-preimage attacks that would be > a serious problem. My point is: as time passes, assuming that a SHA1 > resolves to a single revision on SWH is becoming more and more > questionable. Well, SHA-1 is 2^160 (~10^48.2) and compared to 10^50 which is the estimated number of atoms in Earth. Speaking about content-addressability, SHA-1 seems fine. However, for security, yeah time flies. :-) > >> swh: Support downloads of bare Git repositories. > >> git: 'update-cached-checkout' can fall back to SWH when cloning. > >> git: 'reference-available?' recognizes 'tag-or-commit'. > > I’ve pushed this after adding the warning as you suggested: > > dce2cf311b * git: 'reference-available?' recognizes 'tag-or-commit'. > 05f44c2d85 * git: 'update-cached-checkout' can fall back to SWH when > cloning. > 6ec81c31c0 * swh: Support downloads of bare Git repositories. Cool! I would deserve a --news entry. ;-) Cheers, simon