Re: limits for package name and version (MBF alert: ... .deb filenames)
Henrique de Moraes Holschuh <hmh <at> debian.org> writes:
> I do think you misunderstood my point in the hash issue. My point is not
> that a full hash will not collide. The point is that the full hash as seen
> in a tree received from the upstream DVCS should not see colisions, because
> the collision would have happened before the colliding object was visible to
> anyone retrieving that tree (and abort the operation that was trying to add
> the colliding object/corrupt the repository/whatever).
>
> There is no mathematical misunderstanding in that AFAIK (please explain if
> there is one. By private mail, if necessary).
The main mathematical issue are the probabilities involved. The probability of
getting a 160-bit hash collision by chance is infinitesimally small. In a
repository with less than a billion separate hashed objects the probability of
getting a match for just the first 80-bit half of the hash is less than one in
a million. If software reported a full 160-bit hash match for an object (that
was not specially constructed using some as-yet-unknown algorithm for
producing hash collisions) you could immediately rule out the possibility of
such a collision having actually happened - it'd be a software bug, a hardware
error or a prank by someone.
Thus it's ridiculous to claim that full hashes would be needed for uniqueness
in any practical versioning use. And if you want to consider theoretical
questions about what'd happen in a hash collision case then that'll really
depend on implementation details of the DCVS.
Reply to: