Right, okay -- that's fairly reasonable, you couldn't realistically prepare an attack on a repository then.
(The question of using things that are slower than SHA1 as in my original post still stands, of course. As you've said, it's definitely better than some stuff that gets used -- such as the recent Gawker farce which was unsalted DES IIRC -- but given how easy that attack was in hindsight, is this good enough?) thanks for your time an attention, lvh _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users