Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S262587AbVDYM0y (ORCPT ); Mon, 25 Apr 2005 08:26:54 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262592AbVDYM0y (ORCPT ); Mon, 25 Apr 2005 08:26:54 -0400 Received: from thunk.org ([69.25.196.29]:8354 "EHLO thunker.thunk.org") by vger.kernel.org with ESMTP id S262587AbVDYM0m (ORCPT ); Mon, 25 Apr 2005 08:26:42 -0400 Date: Mon, 25 Apr 2005 07:57:50 -0400 From: "Theodore Ts'o" To: Bernd Eckenfels Cc: Paul Jackson , linux-kernel@vger.kernel.org Subject: Re: more git updates.. Message-ID: <20050425115750.GA11233@thunk.org> Mail-Followup-To: Theodore Ts'o , Bernd Eckenfels , Paul Jackson , linux-kernel@vger.kernel.org References: <20050423174227.51360d63.pj@sgi.com> <20050423211326.7ed8e199.pj@sgi.com> <20050424043813.GA2422@lina.inka.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050424043813.GA2422@lina.inka.de> User-Agent: Mutt/1.5.8i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1613 Lines: 33 On Sun, Apr 24, 2005 at 06:38:13AM +0200, Bernd Eckenfels wrote: > On Sat, Apr 23, 2005 at 09:13:26PM -0700, Paul Jackson wrote: > > I don't believe you. Reference? > > I had MD5 in mind, sorry. I havent seen the SHA-1 colision samples, yet. > However it is likely to be available soon. (a simple pair with two files > will be enugh to cause "theoretical" problems. However I think it would be > possible to detect collisions on add and append sequence numbers... ugly. The MD5 collision smaples are for two 16 byte inputs which when run through the MD5 algorithm, result in the same 128-bit hash. The SHA-1 collision samples are for two 20 byte inputs which when run through the SHA algorithm create the same 160-bit hash. In neither case will the inputs be valid git objects, nor anything approaching ASCII text, let alone valid C files. So what theoretical problems will be caused by this? Sure, an attacker can check a garbage file containing (apparently) random bytes into git, and then produce another garbage file containing some completely other (apparently) random bytes which will collide with the first garbage file. You want to explain how this is going to cause problems in the git systems? And even if you can describe any problems, you want to explain why any such theoretical problems couldn't be trivially detected and fixed? - Ted - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/