Nlnet funding for transitioning out of SHA-1

Raphaël Gomès raphael.gomes at octobus.net
Wed Jan 29 04:31:50 EST 2020 

I just sent the proposal. I will keep you updated in this thread.

Thanks again for helping,
Raphaël

On 1/28/20 12:46 PM, Raphaël Gomès wrote:
> Hello again,
>
> I think the current proposal is complete, I will re-read the entire 
> thing later tonight to be sure.
>
> I plan on submitting tomorrow morning (Paris time) to leave the 
> opportunity for people in all time zones to get the notice in advance.
>
> Thank you for helping,
> Raphaël
>
> On 1/15/20 5:53 PM, Raphaël Gomès wrote:
>> Hello all,
>>
>> As you all know, we have to transition out of using SHA-1 for 
>> Mercurial (https://www.mercurial-scm.org/wiki/SHA1TransitionPlan). 
>> While a known mitigation has been introduced by a few of Augie's 
>> patches, we still have to act on that transition.
>>
>> The Nlnet foundation has a program (https://nlnet.nl/PET/) for 
>> sponsoring privacy and trust enhancing technologies, category which 
>> this aspect of Mercurial falls into. Someone whose identity remains 
>> unclear came to the #mercurial IRC channel to tell us to send a 
>> submission.
>>
>> The latest "sha-mbles" attack is the stingy reminder that we need to 
>> take care of this before it is too late. Getting explicit funding is 
>> a great way to move forward and ensure Mercurial does not become a 
>> security liability in the near future.
>>
>> The deadline for submission is Feb 1st, so we have to move fast.
>>
>> The NLnet process is fairly light. Here are the things that we need 
>> think about as a community for this submission:
>>     - Project abstract (1200 chars)
>>     - The requested amount ranging from 5k to 50k€ (with details on 
>> how it is going to be spent).
>>     - Comparison with other efforts (probably a comparison with what 
>> git did)
>>     - Explanation of the technical challenges. Probably a mix of:
>>         - Mercurial is a 15 year old code base with strong 
>> compatibility guarantees
>>         - A smooth but secure transition is going to be hard
>>
>> The first step here is to sketch a high-level plan of the steps we 
>> need to take to transition out of SHA-1. The actual details (which 
>> algorithm, rehashing/compatibility, etc) can be dealt with while the 
>> work is actually being done.
>>
>> Right now I can see the following high level steps
>>
>>     - Update the core code to be able to deal with multiple hashing 
>> functions
>>     - Update the network protocol to deal with multiple hashing 
>> functions
>>     - Update the on-disk format to deal with larger hashes
>>     - How to deal with backwards and forwards compatibility with 
>> regards to both repositories and client/server (wire protocol 
>> changes, etc.)
>>     - How changing hashing functions impacts the user experience 
>> (from additional steps to UI getting broken)
>>     - Help extensions to migrate if need be
>>     - Actually select a new hash function
>>
>> Am I missing anything? How do you all feel about this?
>>
>> Thanks,
>> Raphaël
>>
>> _______________________________________________
>> Mercurial-devel mailing list
>> Mercurial-devel at mercurial-scm.org
>> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

More information about the Mercurial-devel mailing list