mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

update

Browse source
This commit is contained in:
Joey Hess 2017-02-24 00:21:58 -04:00
parent 60d99a80a6
commit 969da82b5c
No known key found for this signature in database
GPG key ID: C910D9222512E3C7
1 changed files with 4 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn
View file

@ -23,12 +23,10 @@ is enabled)
A few other potential problems: A few other potential problems:
* `*E` backends could embed sha1 collision data in a long filename * `*E` backends could embed sha1 collision data in a long filename
extension. That this is much harder to exploit because git-annex extension. It might be worth limiting the length
checks the hash of the data when it enters the repository, and git-annex of an extension allowed in such a key to the longest such extension
fsck also verifies it. It still might be worth limiting the length git-annex has ever supported (probably < 20 bytes or so), which would
of an extension in such a key to the longest such extension git-annex has be less than the size of the data needed for current SHA1 collision attacks.
ever supported (probably < 20 bytes or so), which would be less than the
size of the data needed for current SHA1 collision attacks.
* It might be possible to embed colliding data in a specially constructed * It might be possible to embed colliding data in a specially constructed
key name with an extra field in it, eg "SHA256-cXXXXXXXXXXXXXXX-...". key name with an extra field in it, eg "SHA256-cXXXXXXXXXXXXXXX-...".
Need to review the code and see if such extra fields are allowed. Need to review the code and see if such extra fields are allowed.