A set of ideas pertaining to cryptographic validation of Git release branches and artifacts:https://gist.github.com/djspiewak/a6cef156708c6a95906d …
@djspiewak SHA1 may be "easy to collide" but really you're talking about a second preimage attack, right? (that said, SHA1 still sucks)
-
-
@bascule@djspiewak "easy to collide" <- as in, should only take like $500k of EC2 to generate a collision. Is there something I'm missing? -
@puffnfresh@bascule For some projects and some applications, that would be money well spent for an attacker. -
@djspiewak@puffnfresh a collision in and of itself isn't particularly useful though. It really needs to be a preimage attack... -
@bascule@puffnfresh You don’t need a preimage, just a second preimage. The former is much harder, while the latter is basically a collision -
@djspiewak@puffnfresh yes I'm aware :P https://twitter.com/bascule/status/547547376102023168 … and we aren't there yet, nor is there evidence we will be soon... -
@djspiewak@puffnfresh I'm not saying SHA1 isn't terrible, just that there isn't anything promising in this department yet attack-wise -
@bascule@puffnfresh I worry primarily because long term releases are just that, long term.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.