From: Jeff King <peff@peff.net>
To: Nguyen Thai Ngoc Duy <pclouds@gmail.com>
Cc: Bill Zaumen <bill.zaumen+git@gmail.com>,
git@vger.kernel.org, gitster@pobox.com, spearce@spearce.org,
torvalds@linux-foundation.org
Subject: Re: [PATCH] Implement fast hash-collision detection
Date: Tue, 29 Nov 2011 15:59:05 -0500 [thread overview]
Message-ID: <20111129205905.GA1793@sigill.intra.peff.net> (raw)
In-Reply-To: <CACsJy8DboVU4kSbJSV=8NP08OyLYVgOKsm8tt=koZ0=JcGSE=A@mail.gmail.com>
On Tue, Nov 29, 2011 at 09:04:06PM +0700, Nguyen Thai Ngoc Duy wrote:
> > You can fix this by including an extra header in the signed part of the
> > tag that says "also, the digest of the commit I point to is X". Then you
> > know you have the same commit that Linus had. But the commit points to a
> > tree by its sha1. So you have to add a similar header in the commit
> > object that says "also, the digest of the tree I point to is X". And
> > ditto for all of the parent pointers, if you want to care about signing
> > history. And then you have the same problem in the tree: each sub-tree
> > and blob is referenced by its sha1.
> >
> Can we just hash all objects in a pack from bottom up, (replacing
> sha-1 in trees/commits/tags with the new digest in memory before
> hashing), then attach the new top digest to tag's content? The sender
> is required by the receiver to send new digests for all objects in the
> pack together with the pack. The receiver can then go through the same
> process to produce the top digest and match it with one saved in tag.
I think that is conflating two different layers of git. The security for
tags happens at the conceptual object db layer: you sign a tag, and that
points to a commit, which points to a tree, and so on. The authenticity
comes from the tag signature, but the integrity of each link in the
chain is verifiable because of the has property. The pack layer, on the
other hand, is just an implementation detail about how those conceptual
objects are stored. More than just your tag will be in a pack, and the
contents of your tag may be spread across several packs (or even loose
objects).
So I don't think it's right to talk about packs at all in the signature
model.
If you wanted to say "make a digest of all of the sub-objects pointed to
by the tag", then yes, that does work (security-wise). But it's
expensive to calculate. Instead, you want to use a "digest of digests"
as much as possible. Which is what git already does, of course; you hash
the tree object, which contains hashes of the blob sha1s. Git's
conceptual model is fine. The only problem is that sha1 is potentially
going to lose its security properties, weakening the links in the chain.
So as much as possible, we want to insert additional links at the exact
same places, but using a stronger algorithm.
Does that make sense?
-Peff
next prev parent reply other threads:[~2011-11-29 20:59 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1322546563.1719.22.camel@yos>
2011-11-29 9:07 ` [PATCH] Implement fast hash-collision detection Jeff King
2011-11-29 10:24 ` Ævar Arnfjörð Bjarmason
2011-11-29 10:29 ` Jeff King
2011-11-29 13:17 ` Nguyen Thai Ngoc Duy
2011-11-29 15:23 ` Shawn Pearce
2011-11-29 14:04 ` Nguyen Thai Ngoc Duy
2011-11-29 20:59 ` Jeff King [this message]
2011-11-30 13:35 ` Nguyen Thai Ngoc Duy
2011-11-30 18:05 ` Junio C Hamano
2011-12-01 4:43 ` Nguyen Thai Ngoc Duy
2011-11-30 19:00 ` Bill Zaumen
2011-11-29 21:56 ` Bill Zaumen
2011-11-30 6:25 ` Jeff King
2011-12-01 0:41 ` Bill Zaumen
2011-12-01 5:26 ` Jeff King
2011-12-02 2:59 ` Bill Zaumen
2011-12-02 17:00 ` Jeff King
2011-11-29 17:08 ` Shawn Pearce
2011-11-29 22:05 ` Jeff King
2011-11-30 4:01 ` Bill Zaumen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111129205905.GA1793@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=bill.zaumen+git@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=pclouds@gmail.com \
--cc=spearce@spearce.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).