Fossil SCM
Added section 2.8 to the fossil-v-git doc: "Hash Algorithm: SHA-3 vs SHA-2 vs SHA-1".
Commit
42b8890cc246d69f5cbed9bd228f2c8465bff3cdc395084cb2d940035a87e2b5
Parent
31bbb40f13184e9…
1 file changed
+36
+36
| --- www/fossil-v-git.wiki | ||
| +++ www/fossil-v-git.wiki | ||
| @@ -38,10 +38,12 @@ | ||
| 38 | 38 | <tr><td>Lots of little tools</td><td>Stand-alone executable</td></tr> |
| 39 | 39 | <tr><td>One check-out per repository</td> |
| 40 | 40 | <td>Many check-outs per repository</td></tr> |
| 41 | 41 | <tr><td>Remembers what you should have done</td> |
| 42 | 42 | <td>Remembers what you actually did</td></tr> |
| 43 | +<tr><td>SHA-1, SHA-256</td> | |
| 44 | + <td>256-bit SHA-3</td></tr> | |
| 43 | 45 | </table></blockquote> |
| 44 | 46 | |
| 45 | 47 | <h3 id="features">2.1 Feature Set</h3> |
| 46 | 48 | |
| 47 | 49 | Git provides file versioning services only, whereas Fossil adds |
| @@ -458,10 +460,44 @@ | ||
| 458 | 460 | limitations that prevent global history rewrites. |
| 459 | 461 | |
| 460 | 462 | One commentator characterized Git as recording history according to |
| 461 | 463 | the victors, whereas Fossil records history as it actually happened. |
| 462 | 464 | |
| 465 | + | |
| 466 | +<h3 id="hash">2.8 Hash Algorithm: SHA-3 vs SHA-2 vs SHA-1</h3> | |
| 467 | + | |
| 468 | +Fossil started out using 160-bit SHA-1 hashes to identify check-ins, | |
| 469 | +just as in Git. That changed in early 2017 when news of the | |
| 470 | +[https://shattered.io/|SHAttered attack] broke, demonstrating that SHA-1 | |
| 471 | +collisions were now practical to create. Two weeks later, the creator of | |
| 472 | +Fossil delivered a new release allowing a clean migration to | |
| 473 | +[https://en.wikipedia.org/wiki/SHA-3|256-bit SHA-3] with | |
| 474 | +[./hashpolicy.wiki|full backwards compatibility] to old SHA-1 based | |
| 475 | +repositories. | |
| 476 | + | |
| 477 | +Here in mid-2019, that feature is now in every OS and package repository | |
| 478 | +known to include Fossil so that the next release as of this writing | |
| 479 | +(Fossil 2.10) will default to enforcing SHA-3 hashes by default. This | |
| 480 | +not only solves the SHAttered problem, it should prevent a reoccurrence | |
| 481 | +for the forseeable future. Only repositories created before the | |
| 482 | +transition to Fossil 2 are still using SHA-1, and then only if the | |
| 483 | +repository's maintainer chose not to switch them into SHA-3 mode some | |
| 484 | +time over the past 2 years. | |
| 485 | + | |
| 486 | +Meanwhile, the Git community took until August 2018 to announce | |
| 487 | +[https://git-scm.com/docs/hash-function-transition/2.18.0|their plan] | |
| 488 | +for solving the same problem by moving to SHA-256 (a variant of the | |
| 489 | +[https://en.wikipedia.org/wiki/SHA-2|older SHA-2 algorithm]) and until | |
| 490 | +February 2019 to release a version containing the change. It's looking | |
| 491 | +like this will take years more to percolate through the community. | |
| 492 | + | |
| 493 | +The practical impact of SHAttered on | |
| 494 | +[https://en.wikipedia.org/wiki/Merkle_tree | Merkle tree] / | |
| 495 | +[./blockchain.md | block chain] structred data stores like Git and | |
| 496 | +Fossil isn't clear, but Fossil moved on the problem quickly and had a | |
| 497 | +widely-deployed solution to it years ago. | |
| 498 | + | |
| 463 | 499 | |
| 464 | 500 | <h2 id="missing">3.0 Missing Features</h2> |
| 465 | 501 | |
| 466 | 502 | Most of the capabilities found in Git are also available in Fossil and |
| 467 | 503 | the other way around. For example, both systems have local check-outs, |
| 468 | 504 |
| --- www/fossil-v-git.wiki | |
| +++ www/fossil-v-git.wiki | |
| @@ -38,10 +38,12 @@ | |
| 38 | <tr><td>Lots of little tools</td><td>Stand-alone executable</td></tr> |
| 39 | <tr><td>One check-out per repository</td> |
| 40 | <td>Many check-outs per repository</td></tr> |
| 41 | <tr><td>Remembers what you should have done</td> |
| 42 | <td>Remembers what you actually did</td></tr> |
| 43 | </table></blockquote> |
| 44 | |
| 45 | <h3 id="features">2.1 Feature Set</h3> |
| 46 | |
| 47 | Git provides file versioning services only, whereas Fossil adds |
| @@ -458,10 +460,44 @@ | |
| 458 | limitations that prevent global history rewrites. |
| 459 | |
| 460 | One commentator characterized Git as recording history according to |
| 461 | the victors, whereas Fossil records history as it actually happened. |
| 462 | |
| 463 | |
| 464 | <h2 id="missing">3.0 Missing Features</h2> |
| 465 | |
| 466 | Most of the capabilities found in Git are also available in Fossil and |
| 467 | the other way around. For example, both systems have local check-outs, |
| 468 |
| --- www/fossil-v-git.wiki | |
| +++ www/fossil-v-git.wiki | |
| @@ -38,10 +38,12 @@ | |
| 38 | <tr><td>Lots of little tools</td><td>Stand-alone executable</td></tr> |
| 39 | <tr><td>One check-out per repository</td> |
| 40 | <td>Many check-outs per repository</td></tr> |
| 41 | <tr><td>Remembers what you should have done</td> |
| 42 | <td>Remembers what you actually did</td></tr> |
| 43 | <tr><td>SHA-1, SHA-256</td> |
| 44 | <td>256-bit SHA-3</td></tr> |
| 45 | </table></blockquote> |
| 46 | |
| 47 | <h3 id="features">2.1 Feature Set</h3> |
| 48 | |
| 49 | Git provides file versioning services only, whereas Fossil adds |
| @@ -458,10 +460,44 @@ | |
| 460 | limitations that prevent global history rewrites. |
| 461 | |
| 462 | One commentator characterized Git as recording history according to |
| 463 | the victors, whereas Fossil records history as it actually happened. |
| 464 | |
| 465 | |
| 466 | <h3 id="hash">2.8 Hash Algorithm: SHA-3 vs SHA-2 vs SHA-1</h3> |
| 467 | |
| 468 | Fossil started out using 160-bit SHA-1 hashes to identify check-ins, |
| 469 | just as in Git. That changed in early 2017 when news of the |
| 470 | [https://shattered.io/|SHAttered attack] broke, demonstrating that SHA-1 |
| 471 | collisions were now practical to create. Two weeks later, the creator of |
| 472 | Fossil delivered a new release allowing a clean migration to |
| 473 | [https://en.wikipedia.org/wiki/SHA-3|256-bit SHA-3] with |
| 474 | [./hashpolicy.wiki|full backwards compatibility] to old SHA-1 based |
| 475 | repositories. |
| 476 | |
| 477 | Here in mid-2019, that feature is now in every OS and package repository |
| 478 | known to include Fossil so that the next release as of this writing |
| 479 | (Fossil 2.10) will default to enforcing SHA-3 hashes by default. This |
| 480 | not only solves the SHAttered problem, it should prevent a reoccurrence |
| 481 | for the forseeable future. Only repositories created before the |
| 482 | transition to Fossil 2 are still using SHA-1, and then only if the |
| 483 | repository's maintainer chose not to switch them into SHA-3 mode some |
| 484 | time over the past 2 years. |
| 485 | |
| 486 | Meanwhile, the Git community took until August 2018 to announce |
| 487 | [https://git-scm.com/docs/hash-function-transition/2.18.0|their plan] |
| 488 | for solving the same problem by moving to SHA-256 (a variant of the |
| 489 | [https://en.wikipedia.org/wiki/SHA-2|older SHA-2 algorithm]) and until |
| 490 | February 2019 to release a version containing the change. It's looking |
| 491 | like this will take years more to percolate through the community. |
| 492 | |
| 493 | The practical impact of SHAttered on |
| 494 | [https://en.wikipedia.org/wiki/Merkle_tree | Merkle tree] / |
| 495 | [./blockchain.md | block chain] structred data stores like Git and |
| 496 | Fossil isn't clear, but Fossil moved on the problem quickly and had a |
| 497 | widely-deployed solution to it years ago. |
| 498 | |
| 499 | |
| 500 | <h2 id="missing">3.0 Missing Features</h2> |
| 501 | |
| 502 | Most of the capabilities found in Git are also available in Fossil and |
| 503 | the other way around. For example, both systems have local check-outs, |
| 504 |