[Scons-dev] Hashes

Bill Deegan bill at baddogconsulting.com
Fri Oct 27 00:28:05 EDT 2017 

Indeed.
SCons is not(currently) in the business of providing security assured
builds.
(Nor as far as I know is any other build system, though I keep finding new
ones I'd never heard of or that are getting released to the public from
being strictly internal tools (google..))

Just correct builds.
(If someone wants to intentionally break it, then that will work.)

On Thu, Oct 26, 2017 at 5:07 AM, Daniel Holth <dholth at gmail.com> wrote:

> blake2 is supposed to be very fast, faster than md5. It would probably
> break the 'scons uses stdlib only' rule though. https://blake2.net/
>
> I assume to break scons you would have to update the same filename with
> its md5 collision [while keeping the timestamps the same]?
>

And file size..


> People have tried to put sha1 collisions in their git repositories as test
> input only to find that git breaks. They can cause mischief.
>
> On Thu, Oct 26, 2017 at 10:00 AM Jonathon Reinhart <
> jonathon.reinhart at gmail.com> wrote:
>
>> I believe you will never encounter an accidental MD5 collision in the way
>> that SCons uses it. [1] All of the MD5 collisions being publicized are
>> intentional; leveraging a chosen-prefix attack. Does SCons really care to
>> address the case where someone is intentionally generating collisions? I
>> imagine not.
>>
>> MD5 is still the fastest general-purpose hashing algorithm [2]. So I so
>> reason for SCons to worry about changing hash algorithms.
>>
>> Jonathon Reinhart
>>
>> [1]: https://stackoverflow.com/a/937798/119527
>> [2]: https://stackoverflow.com/a/2723941/119527
>>
>>
>> On Thu, Oct 26, 2017 at 7:58 AM, Russel Winder <russel at winder.org.uk>
>> wrote:
>>
>>> I may just be out of date: is SCons using MD5 for hashing?
>>>
>>> Clearly SCons is not that interested in security or true persistence
>>> level hashing, but given the issue of clashing might MD5 now not be
>>> useful?
>>>
>>> --
>>> Russel.
>>> ============================================================
>>> =================
>>> Dr Russel Winder      t: +44 20 7585 2200   voip:
>>> sip:russel.winder at ekiga.net
>>> 41 Buckmaster Road    m: +44 7770 465 077   xmpp: russel at winder.org.uk
>>> London SW11 1EN, UK   w: www.russel.org.uk  skype: russel_winder
>>> _______________________________________________
>>> Scons-dev mailing list
>>> Scons-dev at scons.org
>>> https://pairlist2.pair.net/mailman/listinfo/scons-dev
>>>
>>>
>> _______________________________________________
>> Scons-dev mailing list
>> Scons-dev at scons.org
>> https://pairlist2.pair.net/mailman/listinfo/scons-dev
>>
>
> _______________________________________________
> Scons-dev mailing list
> Scons-dev at scons.org
> https://pairlist2.pair.net/mailman/listinfo/scons-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist2.pair.net/pipermail/scons-dev/attachments/20171026/c863809a/attachment-0001.html>

More information about the Scons-dev mailing list