SHA-1 and changeset signatures

Wojciech Milkowski wmilkowski at interia.pl
Sat Aug 27 13:40:17 CDT 2005


Eric Hopper wrote:

> Because of the general nature of SHA-1 and MD5 (and SHA-{256,384,512}),
> being able to generate two random texts that hash the same mean that you
> can generate two texts that are mostly not random that hash to the same
> value.  This is enough.

This applies to _ALL_ hash functions, and what really matter is how long
searching must be done to find collision. Technically 2^128, or even
2^80 possibilities is enough, you just have to use algorithm which
ensure that - this is the biggest problem so far.

Chad Netzer wrote:

> At best, it'd probably have to be the same person checking in both the
> original and replacement code, in which case there already issues
> about whose code you trust enough to run.

And since Mercurial repositories are append-only I think it's safe to
believe only first commit.

Wojtek


----------------------------------------------------------------------
Startuj z INTERIA.PL! >>> http://link.interia.pl/f186c 



More information about the Mercurial mailing list