Nlnet funding for transitioning out of SHA-1

Raphaël Gomès raphael.gomes at octobus.net
Tue Jan 28 06:46:57 EST 2020 

Hello again,

I think the current proposal is complete, I will re-read the entire 
thing later tonight to be sure.

I plan on submitting tomorrow morning (Paris time) to leave the 
opportunity for people in all time zones to get the notice in advance.

Thank you for helping,
Raphaël

On 1/15/20 5:53 PM, Raphaël Gomès wrote:
> Hello all,
>
> As you all know, we have to transition out of using SHA-1 for 
> Mercurial (https://www.mercurial-scm.org/wiki/SHA1TransitionPlan). 
> While a known mitigation has been introduced by a few of Augie's 
> patches, we still have to act on that transition.
>
> The Nlnet foundation has a program (https://nlnet.nl/PET/) for 
> sponsoring privacy and trust enhancing technologies, category which 
> this aspect of Mercurial falls into. Someone whose identity remains 
> unclear came to the #mercurial IRC channel to tell us to send a 
> submission.
>
> The latest "sha-mbles" attack is the stingy reminder that we need to 
> take care of this before it is too late. Getting explicit funding is a 
> great way to move forward and ensure Mercurial does not become a 
> security liability in the near future.
>
> The deadline for submission is Feb 1st, so we have to move fast.
>
> The NLnet process is fairly light. Here are the things that we need 
> think about as a community for this submission:
>     - Project abstract (1200 chars)
>     - The requested amount ranging from 5k to 50k€ (with details on 
> how it is going to be spent).
>     - Comparison with other efforts (probably a comparison with what 
> git did)
>     - Explanation of the technical challenges. Probably a mix of:
>         - Mercurial is a 15 year old code base with strong 
> compatibility guarantees
>         - A smooth but secure transition is going to be hard
>
> The first step here is to sketch a high-level plan of the steps we 
> need to take to transition out of SHA-1. The actual details (which 
> algorithm, rehashing/compatibility, etc) can be dealt with while the 
> work is actually being done.
>
> Right now I can see the following high level steps
>
>     - Update the core code to be able to deal with multiple hashing 
> functions
>     - Update the network protocol to deal with multiple hashing functions
>     - Update the on-disk format to deal with larger hashes
>     - How to deal with backwards and forwards compatibility with 
> regards to both repositories and client/server (wire protocol changes, 
> etc.)
>     - How changing hashing functions impacts the user experience (from 
> additional steps to UI getting broken)
>     - Help extensions to migrate if need be
>     - Actually select a new hash function
>
> Am I missing anything? How do you all feel about this?
>
> Thanks,
> Raphaël
>
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

More information about the Mercurial-devel mailing list