You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Amit Jain (JIRA)" <ji...@apache.org> on 2017/02/28 03:59:46 UTC
[jira] [Comment Edited] (OAK-5827) Don't use SHA-1 for new
DataStore binaries
[ https://issues.apache.org/jira/browse/OAK-5827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15887211#comment-15887211 ]
Amit Jain edited comment on OAK-5827 at 2/28/17 3:58 AM:
---------------------------------------------------------
bq. By looking at the patch it looks like it will require a full DS migration to the new SHA algorithm
No, older binaries need not be. See below
bq. when looking up use SHA-256 and if not found fallback on SHA-1
The ids are looked up directly with the blob ids stored in the nodes so, awareness about how the id was constructed is required.
For upgrades we are still good but good to check there are no other issues.
was (Author: amitjain):
bq. By looking at the patch it looks like it will require a full DS migration to the new SHA algorithm
No, older binaries need not be. See below
bq. when looking up use SHA-256 and if not found fallback on SHA-1
The ids are looked up directly with the blob ids stored in the nodes so, awareness about how the id was constructed is required.
> Don't use SHA-1 for new DataStore binaries
> ------------------------------------------
>
> Key: OAK-5827
> URL: https://issues.apache.org/jira/browse/OAK-5827
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Reporter: Thomas Mueller
> Attachments: OAK-5827.patch
>
>
> A [collision for SHA-1|https://www.schneier.com/blog/archives/2017/02/sha-1_collision.html] has been published. We still use SHA-1 for the FileDataStore, and I believe the S3 DataStore right now. Given there is a collision, we should switch to a stronger algorithm, for example SHA-256, for new binaries.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)