You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've been using md5 for file hashing, which is more or less fine, but cryptographically secure. I've been debating whether that matters. Yes, you can definitely intentionally create md5 collisions if you're being malicious. On the other hand, this is unlikely to be a problem when you're talking about trusted code (hopefully you trust your migrations).
The reason I picked md5 in the first place was to be compatible with the Stack Overflow migrator, but I already do line ending normalization differently, so there's no guarantee that hashes between the two migrators will match. Furthermore, I intend to add a mark-as-run command which will make transitioning from one migrator to the other easier.
Ultimately, there's no particularly good reason to pick md5, and people might question its use in a production environment (whether there's truly any risk or not). I think picking a different hash would be better. SHA-256 is a likely candidate.
The text was updated successfully, but these errors were encountered:
We've been using md5 for file hashing, which is more or less fine, but cryptographically secure. I've been debating whether that matters. Yes, you can definitely intentionally create md5 collisions if you're being malicious. On the other hand, this is unlikely to be a problem when you're talking about trusted code (hopefully you trust your migrations).
The reason I picked md5 in the first place was to be compatible with the Stack Overflow migrator, but I already do line ending normalization differently, so there's no guarantee that hashes between the two migrators will match. Furthermore, I intend to add a mark-as-run command which will make transitioning from one migrator to the other easier.
Ultimately, there's no particularly good reason to pick md5, and people might question its use in a production environment (whether there's truly any risk or not). I think picking a different hash would be better. SHA-256 is a likely candidate.
The text was updated successfully, but these errors were encountered: