From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id cOSXMRU902HkXAAAgWs5BA (envelope-from ) for ; Mon, 03 Jan 2022 19:14:45 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id yMlNKhU902HqRAAAG6o9tA (envelope-from ) for ; Mon, 03 Jan 2022 19:14:45 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 15FC3341D8 for ; Mon, 3 Jan 2022 19:14:02 +0100 (CET) Received: from localhost ([::1]:35518 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1n4RqL-00038f-32 for larch@yhetil.org; Mon, 03 Jan 2022 13:14:01 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51516) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n4Rq2-00036s-4g for guix-devel@gnu.org; Mon, 03 Jan 2022 13:13:42 -0500 Received: from [2a00:1450:4864:20::443] (port=44555 helo=mail-wr1-x443.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1n4Rq0-0000uS-8a for guix-devel@gnu.org; Mon, 03 Jan 2022 13:13:41 -0500 Received: by mail-wr1-x443.google.com with SMTP id k18so34674631wrg.11 for ; Mon, 03 Jan 2022 10:13:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:subject:from:to:date:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=rXZC5u8W1NOnrG+a9aQnHdtlJp+7iCZgd98qQ3phecg=; b=nOOtT0SOcudBjUGtbdTHjI84BHBTN4txrOQxaD2O/Rjyecmjt6Ef/GiXCY9pYESX1a GKmxOXGqCgIDy6DJ1Q1DqgZcWeaivv9jbAV9wy81G0ji4mR5wxAbWcet/ecIoYGlK27i QIdkYq38MXtWp9Y9KOlZeIewPsqaGxBct8jpoDZlMmW0i01vNObKSFXnP81cQQFRgWnZ 6SSwnZPAFNKIV8e6G6Y5ItaAltM4t79lN/Xj32LVjOLmUQHsOcXa8UWw9B+UTDcRUoMl mpeqhZjlE2JS31N0uiKmsMAXC/V5yi3YFURLs0CRLwX0iWo2kVkXG2QLpgyC6iNviBQX 5NAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=rXZC5u8W1NOnrG+a9aQnHdtlJp+7iCZgd98qQ3phecg=; b=vxNmcw8hBmYawHMyT8qtVb+zcMd5CFdW7n0FoPE/UdZ3yU8f/tZovyk/BhB+yv/h2/ FQM8ptKFOQZLVmwqUb+DC0DCcUsanjJhpuxnhyqHOKJOYKjPXtx008FRbdSWIwlXOknL qnSDe1BwLJepDVC0pgDmeKKEHZSO/WICUdMz3PqdX99W7JgragR81QbKGS0pV01Zp9YE ZahTDnQ0zBdNMaaMTbhcwL383DEMpSpLFgaLYuylGray2LhQ4CdvYKpwkdZz9K6Yep6F 711p1mcJM6sUyr7vZPp58cg50fldD3/XZmgUtvmiFc4YEjWlkVjFHC17epXwZVejyTib r/CQ== X-Gm-Message-State: AOAM532rkPYOTB+qBfxmqoDiyFp2f10/K8iLvle1rfX15dmtpc11SzMK 16lHL/Y5+nICpLDvUnbo6lM= X-Google-Smtp-Source: ABdhPJwstD5lTBkwSVFP5uyWDndvUZbiGUw7Cp3IkdqimD8tBVceshAAONBb3jgSi8dsnO9+Zu1yjg== X-Received: by 2002:a5d:64e1:: with SMTP id g1mr39525115wri.403.1641233617778; Mon, 03 Jan 2022 10:13:37 -0800 (PST) Received: from nijino.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id m17sm38873699wmq.31.2022.01.03.10.13.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jan 2022 10:13:37 -0800 (PST) Message-ID: <8fc6f95442ff8c5f0d5a317a84b7bdd180543cae.camel@gmail.com> Subject: Re: On raw strings in commit field From: Liliana Marie Prikler To: zimoun , Mark H Weaver , guix-devel@gnu.org Date: Mon, 03 Jan 2022 19:13:35 +0100 In-Reply-To: <864k6lw4vh.fsf@gmail.com> References: <6e451a878b749d4afb6eede9b476e5faabb0d609.camel@gmail.com> <86y243kdoo.fsf@gmail.com> <899587fb6a76ddfa37d197d3d0fd23cdc7ad8592.camel@gmail.com> <867dbmi7pf.fsf@gmail.com> <3d448fe42f0c43574db96fa26aecd7da5fd5a95d.camel@gmail.com> <877dbkmjm9.fsf@netris.org> <762e9fb7116c442bf0f8f63221bf32fa2b77f2cf.camel@gmail.com> <87y240kq2i.fsf@netris.org> <9362c6fb7e34ded5d009c3f79cd18300d6cd539c.camel@gmail.com> <87r19rkx9h.fsf@netris.org> <86bl0url52.fsf@gmail.com> <86bf0d941ff6095961670a41478e603fa961e498.camel@gmail.com> <864k6lw4vh.fsf@gmail.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a00:1450:4864:20::443 (failed) Received-SPF: pass client-ip=2a00:1450:4864:20::443; envelope-from=liliana.prikler@gmail.com; helo=mail-wr1-x443.google.com X-Spam_score_int: 6 X-Spam_score: 0.6 X-Spam_bar: / X-Spam_report: (0.6 / 5.0 requ) DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1641233642; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=rXZC5u8W1NOnrG+a9aQnHdtlJp+7iCZgd98qQ3phecg=; b=AICExf9+cOV8Rq8hIpu6XYQ0rBeW+I9bm8cyqYpap3je0sa6m+Gc6Jt9ulfObVRsknM9gk 3/6ynWP3GLNbCJh4rwV8LB7o97jhXn9F2i6BlUBgCNAeFOHdrLI5zkLAJ/3g2HymE6d0ru YlrYWoido1gu8Yd/J4CNX4Eis32sJG4HMrmhEfSH6OTvUtM3FWkiI92AIPudBS6YhtQIWc x5m6BTjQxCoW3XO5Dj1Cluj5n9oygPVlEafGgzd/H2zFN/Sqs+ylYmMAuWntCMwSp3WJzI xRGlqJGi/0ORtI2tM9T6aRxrnL4R72UUYKpvqC9ViWHHa7Ej9yYNG276RRJfeQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1641233642; a=rsa-sha256; cv=none; b=Tp8XFL1Z9xIhe3DWQabrKJ2HDWsI4pIuV8/4IjfQbr3Av9cF5D8zaI7Ppx+9/gu40cBSux GA+L43xC34gmpbPuxtWlbaSZKnIlNf8Af39W5TLNcKUa9uUwa03Z9kUqBwPHoQ47BK+tnd vmewID7iX1tDftW1dm+BI5eNg7tNgXBQVH4mULX/bIK23wu1pZVP+ElgLb/TlpvZzCpvBO aMvaViUeT8WjuSt5PQpYVgVYYyl1oE8w5oaid/UOwD3nkpTM5Qt4rwnb3gJLaNGB/WdLV0 RYe1fDYawZuqmsPaJT3fn2WUO3jr0jl5XBJYuxUFv4/U7TynnOcbZZILoFv5Qg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=nOOtT0SO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -6.09 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=nOOtT0SO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 15FC3341D8 X-Spam-Score: -6.09 X-Migadu-Scanner: scn0.migadu.com X-TUID: IDs59fp2JPep Am Montag, dem 03.01.2022 um 10:22 +0100 schrieb zimoun: > Hi Liliana, > > On Sun, 02 Jan 2022 at 22:35, Liliana Marie Prikler > wrote: > > > > The statement still appears to me wrong because Git commit hash > > > only depends on the content itself. > > > > If you define content through the NAR hash used by Guix, I'm pretty > > sure vanity commits invalidate that statement. > > I do not understand what it means – not to say I think your comment > does not make sense at all.  Well, I already took the time to explain > twice how it works. > > > Nothing agains Yhetil, but that page did break for me yesterday with a 502. If you have anything important to say, (partially) quoting yourself would be much preferred while still adding said link for curious outsiders, because then I can use an intrinsic lookup mechanism using only my own mailbox rather than an extrinsic one. Anyway, the point here is a rather simple one that you can base on your own explanations. Due to the different ways Guix and Git filter, serialize and hash content, you can have two objects O and O', such that Git hashes O and O' differently, but Guix does not, and similarly two objects O and O' such that Guix hashes them differently, but Git does not. Finding particular values for O and O' would in some cases be computationally expensive, especially if you want to force a hash collision in SHA-256 instead of reusing the same files but attaching a different commit message, but theoretically possible, and if theoretic possibilities is something you want to base your policies on, that is a thing to consider. > Maybe you also deny the Git documentation saying «Git is a > content-addressable filesystem.» > > I don't see why I ought to. At this point we're very far removed from my original claim. However, speaking about file systems, they do support a variety of operations and one of them which Git has goes by the familiar command "rm -rf /". (And even if Git didn't, Git over HTTPS certainly does particularly when only considering 'git clone', so that'd again be a moot point to argue). All file systems, content-addressable or otherwise will run out of names if the space to store them is finite while the number of files to store is not. Some allow the user to overwrite existing files even if that pool has not yet been exhausted. You might see that as a vulnerability. I don't really care. > I have the impression that you are trying to keep your statement by > stretching how it concretely works.  Instead of just say: “My bad, I > was going too far with the chosen-prefix attack of SHA-1”.  And > that’s fine because that’s a valid objection.  (Even if I was already > aware, mentioning such issue helps for a sane collective discussion, > IMHO.) I'm not trying to sell you on Fossil, but even before SHA-mbles, SHAttered were the first to claim that Git was broken due to their attack [1]. Which doesn't necessarily mean their attack is practical against Git, for they haven't demonstrated it, but if you want to stoke fear, go ahead. (Speaking towards a general you, not you personally.) I'm not trying to stoke fear, I'm arguing that "raw string in for robustness" is a bad take for a multitude of reasons. No matter what scenarios you think up for other repos out there, the worst effect on Guix in the foreseeable future is that it's going to barf a hash mismatch at you if you try to `guix build -S'. Which if you want to weaken the robustness claim even more is going to happen for a dozen commits in a selection in the span of a few years. Depending on where you live, it's likelier you (again general you) got the rona within the last week than a package caught the hashies. [1] https://shattered.io/