On Mon, Sep 14, 2015 at 11:46 AM, Warren Young <w...@etr-usa.com> wrote:
> On Sep 12, 2015, at 2:26 AM, Stephan Beal <sgb...@googlemail.com> wrote: > > > > On Sat, Sep 12, 2015 at 12:57 AM, Warren Young <w...@etr-usa.com> wrote: > > For instance, why even mention “SHA1 Hash” on the checkin details page > in fossil ui, from src/info.c? Why not something more generic, like > “checkin ID”? > > > > The checkin ID is the hash of the manifest for the checkin. > > Yes, I know that. The question is not, “Why is the checkin ID a SHA-1 > hash?” The question is, “Why does this UI web page have to *say* that it > is a SHA-1 hash?” > > If this page just said “checkin ID,” what would be lost? > Nothing would really be lost that I can imagine. That being said: > What would be gained is that people wouldn’t be trying to work out how to > match sha1sum commands to Fossil output, and Fossil would be free to switch > to a different algorithm later if that seemed like a good idea. > Is this really a problem? Given that the checkin ID is generated from a structured manifest file which is generated in part from sha1 hash values from all included artifacts, it seems intractable to create a deliberately colliding hash. > And indeed, maybe it is a good idea, since SHA-1 is nearing its EOL for > cryptographic use: > > https://www.google.com/?q=sha-1%20end%20of%20life Except fossil doesn't use it for cryptographic security. For secure communications, sure, make the change. For "deterministic generation of identifiers with low probability of collision" it stills seems safe enough. If people need more security, they should probably be using GPG to sign commits. If the powers that be want to make a change of algorithm for ID generation, that'd be fine. I just don't see any urgency myself in non-cryptographic applications. -- Scott Robison
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
