don't get it. :-)
Regards
K.
De : Warren Young
À : Fossil SCM user's discussion
Envoyé le : Lundi 27 février 2017 18h10
Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1
collision
On Feb 26, 2017, at 2:58 PM, Stephan Beal wrote:
>
>
On 2/27/17, Warren Young wrote:
> On Feb 26, 2017, at 2:58 PM, Stephan Beal wrote:
>>
>> just FYI, Linus' own words on the topic, posted yesterday:
>>
>> https://plus.google.com/u/0/+LinusTorvalds/posts/7tp2gYWQugL
>
> Point #1 misses the fact that people *do* rely on Git hashes for security.
> M
On Feb 26, 2017, at 2:58 PM, Stephan Beal wrote:
>
> just FYI, Linus' own words on the topic, posted yesterday:
>
> https://plus.google.com/u/0/+LinusTorvalds/posts/7tp2gYWQugL
Point #1 misses the fact that people *do* rely on Git hashes for security.
Maybe they’re not “supposed” to, but they
On Feb 26, 2017, at 2:34 PM, Richard Hipp wrote:
>
> On 2/23/17, Warren Young wrote:
>>
>> I think Fossil is in a much better position to do this sort of migration
>> than, say, Git, due to its semi-centralized nature.
>
> it is reasonable to argue that Git(Hub) is more centralized than
> Foss
On Feb 26, 2017, at 2:04 PM, Ron W wrote:
>
> From: Warren Young
>
> > The PHC scheme would allow Fossil to migrate to something stronger in a
> > backwards-compatible fashion:
>
> The PHC scheme is conceptually good, but is not friendly for use by command
> line tools
I wasn’t suggesting th
De : Stephan Beal
À : Fossil SCM user's discussion
Envoyé le : Dimanche 26 février 2017 21h58
Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1
collision
On Sun, Feb 26, 2017 at 10:34 PM, Richard Hipp wrote:
And in any event, I don't think centra
On Sun, Feb 26, 2017 at 10:34 PM, Richard Hipp wrote:
> And in any event, I don't think centralization is a factor here.
> Fossil is better positioned than Git or Mercurial to transition to a
> different hash algorithm because the Fossil implementation uses a
> relational database as its backing
On 2/23/17, Warren Young wrote:
>
> I think Fossil is in a much better position to do this sort of migration
> than, say, Git, due to its semi-centralized nature.
Though they are technically distinct, in the minds of many users Git
and GitHub are the same thing. And GitHub is highly centralized.
On Thu, Feb 23, 2017 at 11:23 PM, wrote:
>
> Date: Fri, 24 Feb 2017 04:23:06 + (UTC)
> From: "K. Fossil user"
> To: Fossil SCM user's discussion
> Subject:
> 2/ semi?
>
> > « I think Fossil is in a much better position to do this sort of
> migration than, say, Git, due to its semi-centralize
On Thu, Feb 23, 2017 at 7:02 PM,
wrote:
>
> Date: Thu, 23 Feb 2017 17:01:56 -0700
> From: Warren Young
> Subject: Re: [fossil-users] Google Security Blog: Announcing the first
> SHA1 collision
>
> The PHC scheme would allow Fossil to migrate to something stro
On Fri, Feb 24, 2017 at 5:54 PM,
wrote:
>
> Date: Fri, 24 Feb 2017 20:38:48 +0100
> From: Joerg Sonnenberger
> Subject: Re: [fossil-users] Google Security Blog: Announcing the first
> SHA1 collision
>
> On Fri, Feb 24, 2017 at 10:32:20AM -0800, bch wro
On Fri, Feb 24, 2017 at 03:54:56PM -0700, Warren Young wrote:
> On Feb 24, 2017, at 10:37 AM, Joerg Sonnenberger wrote:
> >
> > On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote:
> >> But now we have new data.
> >> Before, this sort of attack was theoretical only. Now it’s not only
>
On 2/23/2017 4:01 PM, Warren Young wrote:
The PHC scheme would allow Fossil to migrate to something stronger in a
backwards-compatible fashion:
https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
That is, if the hash argument in the F, P, and Q cards is not 40 characters
On Feb 24, 2017, at 10:37 AM, Joerg Sonnenberger wrote:
>
> On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote:
>> But now we have new data.
>> Before, this sort of attack was theoretical only. Now it’s not only
>> proven possible, it is already within the ROI budget for certain
>> spe
On Fri, Feb 24, 2017 at 10:32:20AM -0800, bch wrote:
> Are you saing:
>
> contenthash = sha256(content);
> identifier = sha256 (contenthash . blobtype . conentsize . content);
>
> "blobtype" == cardtype ?
Yes.
Joerg
___
fossil-users mailing list
fossi
Are you saing:
contenthash = sha256(content);
identifier = sha256 (contenthash . blobtype . conentsize . content);
"blobtype" == cardtype ?
-bch
On 2/24/17, Joerg Sonnenberger wrote:
> On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote:
>> Second, there will be those who say we’ve
On Thu, Feb 23, 2017 at 05:01:56PM -0700, Warren Young wrote:
> Second, there will be those who say we’ve covered all of this already,
> multiple times. I know, I was there. But now we have new data.
> Before, this sort of attack was theoretical only. Now it’s not only
> proven possible, it is a
discussion
Envoyé le : Vendredi 24 février 2017 0h01
Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1
collision
On Feb 23, 2017, at 10:50 AM, Marc Simpson wrote:
>
> This may be of interest to some here, especially in light of previous
> SHA
rds
K.
De : Kees Nuyt
À : fossil-us...@mailinglists.sqlite.org
Envoyé le : Jeudi 23 février 2017 18h15
Objet : Re: [fossil-users] Google Security Blog: Announcing the first SHA1
collision
[Default] On Thu, 23 Feb 2017 09:50:12 -0800, Marc Simpson
wrote:
>This may be of interest
On Thu, Feb 23, 2017 at 06:12:18PM -0500, Martin Gagnon wrote:
> Seems that Git can store both of them, I beleive it calculate the sha1
> on a combination of the filename and the content or something like that.
No, it stores the object type first, which effectively creates a
different block struct
On Feb 23, 2017, at 10:50 AM, Marc Simpson wrote:
>
> This may be of interest to some here, especially in light of previous
> SHA-1 related discussions on list:
>
> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Before I respond, first know that I respond out of c
On Thu, Feb 23, 2017 at 03:18:29PM -0800, bch wrote:
[snip]
>
> Or more correctly, "a *subsequent* file with the same sha1 hash..." If you
> happened to commit the Trojan file first, the "good" commit would have been
> the one to fail.
>
True, but if you pull from untrusted user (or give push
On Feb 23, 2017 15:12, "Martin Gagnon" wrote:
On Thu, Feb 23, 2017 at 09:50:12AM -0800, Marc Simpson wrote:
> This may be of interest to some here, especially in light of previous
> SHA-1 related discussions on list:
>
> https://security.googleblog.com/2017/02/announcing-first-
sha1-collision.h
On Thu, Feb 23, 2017 at 09:50:12AM -0800, Marc Simpson wrote:
> This may be of interest to some here, especially in light of previous
> SHA-1 related discussions on list:
>
> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
>
Also, Here's a related discussion from g
[Default] On Thu, 23 Feb 2017 09:50:12 -0800, Marc Simpson
wrote:
>This may be of interest to some here, especially in light of previous
>SHA-1 related discussions on list:
>
> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Interesting.
https://shattered.io/ says:
This may be of interest to some here, especially in light of previous
SHA-1 related discussions on list:
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
/M
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
ht
26 matches
Mail list logo
