[devel] hash collision in rpm

[Dmitry V. Levin]

On Wed, May 05, 2021 at 08:40:27AM +0300, Alexey Tourbin wrote:
[...]
> By the way, there's a clever way to detect collisions at a higher
> level, even though low-level collisions are unavoidable, subject to
> implacable math. We can take advantage of the fact that the build
> system synchronizes package builds across a few architectures.
> Currently, if a missing symbol goes undetected due to a hash
> collision, it does so on all architectures simultaneously. To change
> that, we need to hash symbols differently, depending on the target
> architecture (we can pass seed=hash(arch) to the hash function, or use
> different initialization vectors IV=hash(arch)).  The desired outcome
> is that when a missing symbol goes undetected, it does so, with an
> overwhelming probability, on only one target.  Roughly speaking, if
> the probability of an undetected missing symbol is 10^-3 on a single
> target, it must be 10^-6 on two targets, 10^-9 on thee targets, etc.

This looks very promising indeed.  I suppose the gain would justify
the necessary rebuilding of all packages with set-versions in their
arch-specific dependencies.


-- 
ldv