[Scons-dev] RFC: Proposal for remote caching
Mats Wichmann
mats at wichmann.us
Mon Dec 9 13:34:47 EST 2019
> 2.1.3 Changes Needed To Bazel Remote Cache Server
>
> Currently the Bazel remote cache server only supports SHA-256 for requests (e.g. GET http://bazel-cache.corp.int/cache/ac/<sha_256_hash>), while SCons by default uses MD5. As part of this project, VMware will be contributing code to the upstream Bazel remote cache server project to support MD5 and SHA-1. We have received confirmation from the project maintainer that (1) it is acceptable to do this and (2) no prefix is needed for these alternative hashing formats. As a result, the requests SCons would make would be of the form http://bazel-cache.corp.int/cache/ac/<md5_hash> or http://bazel-cache.corp.int/cache/ac/<sha1_hash>. As mentioned before, see the Threat Modeling section at the end of this page for more discussion on hash formats.
I'm not sure we should actually further push md5. While it's not
intended to be used for security purposes (and yes I read the section on
that), we've already run into users who are not allowed to use it no
matter what (there's a pending patch to failover to sha1 to address one
of those users' concerns)... and there are fast algorithms in the SHA-2
family as well as ones that didn't quite make the SHA-3 choice (namely,
Blake) which are quite fast on Python. It may be time to transition?
More information about the Scons-dev
mailing list