Haxe wrote: > On Saturday 04 November 2006 22:36, Raphael Manfredi wrote: > > Quoting wixor <[EMAIL PROTECTED]> from ml.softs.gtk-gnutella.devel: > > :Well... there is an issue however - just try to download Nothing > > : Else Matters (choose the most popular sha1) and see how gtkg > > : rejects each download because for some reason (like > > : riaa-evil-doing) sha1 never matches...... With tigertree hashes > > : this does not occur.
If the Tigertree hash would match but SHA-1 doesn't, that would indicate that TTH is completely broken. I don't think you mean that. Albeit I wonder how programs would handle this, if it actually happens. It's not unthinkable that someone might break TTH if you throw a million or two at the right person. SHA-1 is much older and well researched. Apparently it's not as strong as people thought but if it was completely broken, everybody would this by now and it would cause much worse issues than corrupted files from Gnutella. > > That's nonsense. With TTH, you'd simply keep losing the chunks you > > downloaded as being "bad". In the end, you would not get the whole > > file either. > Not quite. If your file has 1000 sources, and only one of these sources > is "evil", then a bad chunk will on the next try very likely be > downloaded from another source, and will thus be correct. Which is the > whole point of TTH. Yes, and it's a catch 22. One source you say? How likely is it that almost all of your results are in fact spam? Disable spam.txt and hostiles.txt, search for any phrase that matches by incident anything from the billboard charts. The funny thing is nowadays it's rather vice-versa i.e., I have no clue what's in the charts but the spam tells me about it. Actually, some music labels even spam in advance for stuff that has not even be released yet. The last time I asked LimeWire, they simply picked the first TTH they could get. Even checking multiple sources and picking the most popular TTH is far from being a sane solution. In a nutshell that would only work for the content for which you don't need TTH in the first place. Also uploading a THEX file takes much less traffic than other options. In a way TTH makes the whole thing more vulnerable - if and only if you obtain the TTH and SHA-1 from source you can't trust. That's why BitTorrent, for example, does not have these kind of problems. It's just because people obtain the checksum(s) from a more or less trustworthy website which is controlled or at least moderated preventing pretty much any possibility to upload spam or bad checksums. So basically, if there's a moderated website where people publish magnets which announce a SHA-1 and TTH, Gnutella would work just as fine, if not better than BitTorrent. That's where TTH makes a lot of sense but not for search results from Gnutella. For what it's worth, Gtk-Gnutella has always performed overlap checks which is fairly sufficient to prevent most file corruptions. Of course, assuming the TTH was correct again, TTH could detect accidental corruption caused by broken software or hardware which really could be the source many corruptions rather than a malicious uploader. SHA-1 detects it too of course but in that case we don't know which chunk was bad. Now, if due to some bug the TTH is actually corrupt, you wouldn't be able to download the file at all if there's only a single source. With only SHA-1 the corrupted file ends up in the directory for corrupted files and it might be useable after all if it's error-tolerant content. -- Christian ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Gtk-gnutella-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/gtk-gnutella-devel
