Hi, zimoun <zimon.touto...@gmail.com> skribis:
> On Sat, 18 Sept 2021 at 23:10, Ludovic Courtès <l...@gnu.org> wrote: [...] >> > How a chosen-prefix attack could work here? I understand why the second >> > preimage attack is an issue. But I miss how the SHA-1 chosen-prefix attack >> > could be exploited here to compromise the user, because this hash is >> > provided >> > by this very same user. >> >> I think you’re right, it’s rather second-preimage attacks that would be >> a serious problem. My point is: as time passes, assuming that a SHA1 >> resolves to a single revision on SWH is becoming more and more >> questionable. > > Well, SHA-1 is 2^160 (~10^48.2) and compared to 10^50 which is the > estimated number of atoms in Earth. Speaking about > content-addressability, SHA-1 seems fine. However, for security, yeah > time flies. :-) True! >> >> swh: Support downloads of bare Git repositories. >> >> git: 'update-cached-checkout' can fall back to SWH when cloning. >> >> git: 'reference-available?' recognizes 'tag-or-commit'. >> >> I’ve pushed this after adding the warning as you suggested: >> >> dce2cf311b * git: 'reference-available?' recognizes 'tag-or-commit'. >> 05f44c2d85 * git: 'update-cached-checkout' can fall back to SWH when >> cloning. >> 6ec81c31c0 * swh: Support downloads of bare Git repositories. > > Cool! I would deserve a --news entry. ;-) That’s a good idea, I’ve added one. Thanks, Ludo’.
