On Tue, Jul 24, 2018 at 12:01 PM Edward Thomson
<ethomson@xxxxxxxxxxxxxxxxx> wrote:
>
> Switching gears, if I look at this from the perspective of the libgit2
> project, I would also prefer SHA-256 or SHA3 over blake2b. To support
> blake2b, we'd have to include - and support - that code ourselves. But
> to support SHA-256, we would simply use the system's crypto libraries
> that we already take a dependecy on (OpenSSL, mbedTLS, CryptoNG, or
> SecureTransport).
I think this is probably the single strongest argument for sha256.
"It's just there".
The hardware acceleration hasn't become nearly as ubiquitous as I
would have hoped, and honestly, sha256 _needs_ hw acceleration more
than some of the alternatives in the first place.
But sha256 does have the big advantage of just having been around and
existing in pretty much every single crypto library.
So I'm not a huge fan of sha256, partly because of my disappointment
in lack of hw acceleration in releant markets (sure, it's fairly
common in ARM, but nobody sane uses ARM for development because of
_other_ reasons). And partly because I don't like how the internal
data size is the same as the final hash. But that second issue is an
annoyance with it, not a real issue - in the absence of weaknesses
it's a non-issue, and any future weaknesses might affect any other
choice too.
So hey, if people are actually at the point where the lack of choice
holds up development, we should just pick one. And despite what I've
said in this discussion, sha256 would have been my first choice, just
because it's the "obvious" choice. The exact same way that SHA1 was
the obvious choice (for pretty much the same infrastructure reasons)
back in 2005.
And maybe the hw acceleration landscape will actually improve. I think
AMD actually does do the SHA extensions in Zen/TR.
So I think Junio should just pick one. And I'll stand up and say
"Let's just pick one.
And sha256 is certainly the safe choice in that it won't strike
anybody as being the _wrong_ choice per se, even if not everybody will
necessarily agree it's the _bext_ choice".
but in the end I think Junio should be the final arbiter. I think all
of the discussed choices are perfectly fine in practice.
Btw, the one thing I *would* suggest is that the git community just
also says that the current hash is not SHA1, but SHA1DC.
Support for "plain" SHA1 should be removed entirely. If we add a lot
of new infrastructure to support a new more secure hash, we should not
have the old fallback for the known-weak one. Just make SHA1DC the
only one git can be built with.
Linus
