<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><blockquote type="cite"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto; "><div style="word-wrap:break-word"><div><div class="im"><blockquote type="cite"><div class="gmail_quote"><div>c) fun things would happen with a SHA collision! ;)</div> </div></blockquote><div><br></div></div><div>c) Hehe, I think I detect a hint of sarcasm. If there is a SHA1 collision then you'd probably make a lot of money!</div><div class="im"><div><br></div><div></div></div></div></div></blockquote><div><br></div><div> C is a serious concern. SHA-1 collisions are now 2^51 - <a href="http://eprint.iacr.org/2009/259.pdf">http://eprint.iacr.org/2009/259.pdf</a></div></div></blockquote><div><br></div><div>This time I didn't detect sarcasm =)</div><div><br></div><div>I was actually aware of that paper. I saw it on Reddit this past week, and although they complained about the fact that it has not yet been reviewed I think it could very well be valid. Its been known that SHA1 has been theoretically broken (not perfect 2**80) for some time now: (2005)</div><div><a href="http://www.schneier.com/blog/archives/2005/02/sha1_broken.html">http://www.schneier.com/blog/archives/2005/02/sha1_broken.html</a></div><div><br></div><div>However, its application in this Repository idea is not to be a cryptographically secure hash, it would just be to perform a quick, reliable, hash of the contents and to produce a unique identifier. There would be no security concerns in the impossibly rare chance that two scripts hashes collide. Just add some whitespace to the text somewhere! It would even be easy to debug when with standard tools such as Firefox's Firebug and Webkit's Web Inspector. Hahaha =)</div><div><br></div><div>Also, Git and Mercurial (distributed version control systems) have been using SHA1 for the exact same purpose for years. I'm more familiar with Git's use of SHA1 and it uses it everywhere in the internals (file contents, directory listings, commit history). </div><div><br></div><div>Finally, if anyone here is seriously concerned with SHA1 just move to SHA-256 or SHA-512. With a repository unlikely to grow into the thousands, much less the millions, the chances of a collision even in 2**51 (2251799813685248 base 10) is bold thinking ;)</div><div><br></div><div>I'm not attacking anyone here, I'm just clarifying why I think SHA1 is not a bad choice. Collision will always be an issue when a infinite number of things gets reduced to a finite set of values, but the concern negligible when done right.</div><div><br></div><div>Cheers</div><div>- Joe</div><div><br></div></div></body></html>