@hatkidchan@mastodon.astrr.ru @L29Ah@qoto.org
Fossil started out using 160-bit SHA-1 hashes to identify check-ins, just as in Git. That changed in early 2017 when news of the SHAttered attack broke, demonstrating that SHA-1 collisions were now practical to create. Two weeks later, the creator of Fossil delivered a new release allowing a clean migration to 256-bit SHA-3 with full backwards compatibility to old SHA-1 based repositories.
In October 2019, after the last of the major binary package repos offering Fossil upgraded to Fossil 2.x, we switched the default hash mode so that from Fossil 2.10 forward, the conversion to SHA-3 is fully automatic. This not only solves the SHAttered problem, it should prevent a reoccurrence of similar problems for the foreseeable future.
Meanwhile, the Git community took until August 2018 to publish their first plan for solving the same problem by moving to SHA-256, a variant of the older SHA-2 algorithm. As of this writing in February 2020, that plan hasn't been implemented, as far as this author is aware, but there is now a competing SHA-256 based plan which requires complete repository conversion from SHA-1 to SHA-256, breaking all public hashes in the repo. One way to characterize such a massive upheaval in Git terms is a whole-project rebase, which violates Git's own Golden Rule of Rebasing.
адепты git официально затроллены@hatkidchan @larixmar Да говно пиздец, я расстроен. Люди blake3 уже вовсю деплоят, а у этих sha2 экспериментальный.
@kerrigan@pl.jugregator.org @L29Ah@qoto.org @hatkidchan@mastodon.astrr.ru так фоссил кажется и не мигрировал, в смысле не пересчитывал все старые хеши.
@hatkidchan @kerrigan @larixmar Так и не нужно пересчитывать, новые хеши быстро обеспечат всей старой истории валидность.
@L29Ah
> THIS OPTION IS EXPERIMENTAL! SHA-256 support is experimental and still in an early stage. A SHA-256 repository will in general not be able to share work with "regular" SHA-1 repositories. It should be assumed that, e.g., Git internal file formats in relation to SHA-256 repositories may change in backwards-incompatible ways. Only use --object-format=sha256 for testing purposes.