Re: git branch help?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Matt McCutchen wrote:
> "Broken" in the past tense is inaccurate: no SHA-1 collision has been
> published yet.  I would like to see DVCSes switch to a stronger hash
> algorithm sooner rather than later, but it's not enough of a concern
> that I would avoid using them.  If it makes you feel any better, git
> will not allow a fetched object to replace a local one with the same
> hash, so you can only lose if you fetch from the attacker first.

I'm not talking about intentional collisions, I'm talking about accidental 
collisions, which ALL hash algorithms are vulnerable to, no matter how 
strong. Hashes are inherently non-injective and mathematically CANNOT be 
otherwise. Now the probability of an accidental collision is very low, but 
it is not zero, so the algorithm is unreliable. And low probabilities add up 
the more projects use DVCSes. Sooner or later some project will be hit by a 
collision.

And the shorter the hash, the more likely a collision (exponentially!), so 
the "abbreviated hashes" git uses are particularly collision-prone.

> For sequential commit numbering, try "git describe".

Nobody actually uses those numbers though (and in fact I doubt those numbers 
can be used in all the ways SVN revision IDs can be used). What everyone 
uses is hashes, leaving you to wonder whether deadbeef or c0cac01a is the 
newer revision (assuming that both are snapshots from master or at least 
from the same branch, which is usually the case when comparing 2 packaged 
snapshots).

> The problems with CVS were amply explained there, but it's less clear to
> me whether there were compelling reasons to choose git over (e.g.) SVN +
> git-svn or the people involved just happened to like distributed version
> control, as I do.

Sure they do, but the problem is that they're FORCING their preference onto 
everyone, whereas using SVN would have allowed them to work their way (using 
SVK or git-svn) without breaking our workflow, and SVN has all the required 
features (e.g. atomic commits and thus repository-wide revision IDs).

Sadly, more and more projects are getting infected by the git virus, KDE is 
also moving to git, several other upstream projects already did. :-(

        Kevin Kofler

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux