On 2020-12-15 at 01:48:14, Jeff King wrote: > On Sun, Dec 13, 2020 at 01:05:38AM +0000, brian m. carlson wrote: > > > Note that this is not perfect, because a user can simply look up all the > > hashed values and find out the old values. However, for projects which > > wish to adopt the feature, it can be somewhat effective to hash all > > existing mailmap entries and include some no-op entries from other > > contributors as well, so as to make this process less convenient. > > I remain unconvinced of the value of any noop entries. Ultimately it's > easy to invert a one-way hash that comes from a small known set of > inputs. And that's true whether there are extra noops or not. > > The interesting argument IMHO is that somebody has to _bother_ to invert > the hash. So it means that the old and new identities do not show up > next to each other in a file indexed by search engines, etc. That drops > the low-hanging fruit. > > And from that argument, I think the obvious question becomes: is it > worth using a real one-way function, as opposed to just obscuring the > raw bytes (which Ævar went into in more detail). I don't have a strong > opinion either way (the obvious one in favor is that it's less expensive > to do so; and something like "git log" will have to either compute a lot > of these hashes, or cache the hash computations internally). I don't disagree that it's easy to invert. The question is, is somebody going to look at a large set of (e.g., a couple hundred) hashed entries and be able to easily find ones of people they'd like to make life difficult for or into whose business they'd like to pry or is it going to be too inconvenient? I think base64 makes the job too easy and if it were me in that situation, I'd prefer a little more effort. I think there's also the benefit, at least for email addresses, in that people can map a "private" email address that they used accidentally into one with more robust filtering without letting bad actors invert it trivially. That doesn't mean spammers can't run through the log, but it does mean that they can't write a simple tool to invert base64 email addresses they've harvested out of Git repositories. And we know that spammers and recruiters (which, in this case, are also spammers) do indeed scrape repositories via the repository web interfaces. And as someone who had to download all 21 GB of the Chromium repository for testing purposes recently, I can tell you that absent a very compelling use case, nobody's going to want to download that entire repository just to extract some personal information, especially since the git index-pack operation is essentially guaranteed to take at least 7 minutes at maximum speed. So by hashing, we've guaranteed significant inconvenience unless you have the repository, whereas that's not the case for base64. And making abuse even slightly harder can often deter a surprising amount of it[0]. So I think I'm firmly in favor of hashing. If that means my patch needs to implement caching, then I'll reroll with that change. I think by switching to a hash table I may be able to actually improve total performance overall, at least in some cases. > I think somebody also mentioned that there's value in the social > signaling here, and I agree with that. But that is true even for a > reversible encoding, I think. That's true, I agree. And for many projects, that will be sufficient. If I saw a hashed mailmap entry, I would assume that it was intended to be private and would respect that. [0] See, for example, greylisting. -- brian m. carlson (he/him or they/them) Houston, Texas, US
Attachment:
signature.asc
Description: PGP signature