Linus Torvalds on SHA1 vulnerabilities [www.gelato.unsw.edu.au]
I have been looking vaguely at distributed SCM's again, with the idea that
we might switch to Arch, svk, or monotone. One thing I have been watching
is the stuff around git, which is what Linus is now shifting to
for the kernel patch management -- and I ran across this hilarious and 100% accurate assessment of peoples concerns about SHA1 vulnerabilities...
in fact, this attack cannot even be proven to be malicious, purely via the email from Malice: it could be incredible bad luck that caused that good-looking patch to be mistakenly matching a dangerous object.I really hate theoretical discussions.
The fact is, a lot of _crap_ engineering gets done because of the question "what if?". It results in over-engineering, often to the point where the end result is quite a lot measurably worse than the sane results. You are _literally_ arguing for the equivalent of "what if a meteorite hit my plane while it was in flight - maybe I should add three inches of high-tension armored steel around the plane, so that my passengers would be protected".
That's not engineering. That's five-year-olds discussing building their imaginary forts ("I want gun-turrets and a mechanical horse one mile high, and my command center is 5 miles under-ground and totally encased in 5 meters of lead").
10:51 AM, 25 Apr 2005 by Jeff Davis Permalink | Comments (1)
Archive
| April 2005 | ||||||
| S | M | T | W | T | F | S |
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
March 2005
February 2005
June 2004
May 2004
April 2004
March 2004
February 2004
December 2003
November 2003
October 2003
September 2003
July 2003
June 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
Notifications
You may request notification for Xarg blog.Syndication Feed