Nlnet funding for transitioning out of SHA-1
Raphaël Gomès
raphael.gomes at octobus.net
Wed Jan 29 04:31:50 EST 2020
I just sent the proposal. I will keep you updated in this thread.
Thanks again for helping,
Raphaël
On 1/28/20 12:46 PM, Raphaël Gomès wrote:
> Hello again,
>
> I think the current proposal is complete, I will re-read the entire
> thing later tonight to be sure.
>
> I plan on submitting tomorrow morning (Paris time) to leave the
> opportunity for people in all time zones to get the notice in advance.
>
> Thank you for helping,
> Raphaël
>
> On 1/15/20 5:53 PM, Raphaël Gomès wrote:
>> Hello all,
>>
>> As you all know, we have to transition out of using SHA-1 for
>> Mercurial (https://www.mercurial-scm.org/wiki/SHA1TransitionPlan).
>> While a known mitigation has been introduced by a few of Augie's
>> patches, we still have to act on that transition.
>>
>> The Nlnet foundation has a program (https://nlnet.nl/PET/) for
>> sponsoring privacy and trust enhancing technologies, category which
>> this aspect of Mercurial falls into. Someone whose identity remains
>> unclear came to the #mercurial IRC channel to tell us to send a
>> submission.
>>
>> The latest "sha-mbles" attack is the stingy reminder that we need to
>> take care of this before it is too late. Getting explicit funding is
>> a great way to move forward and ensure Mercurial does not become a
>> security liability in the near future.
>>
>> The deadline for submission is Feb 1st, so we have to move fast.
>>
>> The NLnet process is fairly light. Here are the things that we need
>> think about as a community for this submission:
>> - Project abstract (1200 chars)
>> - The requested amount ranging from 5k to 50k€ (with details on
>> how it is going to be spent).
>> - Comparison with other efforts (probably a comparison with what
>> git did)
>> - Explanation of the technical challenges. Probably a mix of:
>> - Mercurial is a 15 year old code base with strong
>> compatibility guarantees
>> - A smooth but secure transition is going to be hard
>>
>> The first step here is to sketch a high-level plan of the steps we
>> need to take to transition out of SHA-1. The actual details (which
>> algorithm, rehashing/compatibility, etc) can be dealt with while the
>> work is actually being done.
>>
>> Right now I can see the following high level steps
>>
>> - Update the core code to be able to deal with multiple hashing
>> functions
>> - Update the network protocol to deal with multiple hashing
>> functions
>> - Update the on-disk format to deal with larger hashes
>> - How to deal with backwards and forwards compatibility with
>> regards to both repositories and client/server (wire protocol
>> changes, etc.)
>> - How changing hashing functions impacts the user experience
>> (from additional steps to UI getting broken)
>> - Help extensions to migrate if need be
>> - Actually select a new hash function
>>
>> Am I missing anything? How do you all feel about this?
>>
>> Thanks,
>> Raphaël
>>
>> _______________________________________________
>> Mercurial-devel mailing list
>> Mercurial-devel at mercurial-scm.org
>> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
More information about the Mercurial-devel
mailing list