Continue the 1.10 alphas?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Continue the 1.10 alphas?

Julian Foad-5
Just asking...

As I understand it, we paused the issuing of 1.10 alpha releases because
we considered that the final 1.10 release will need to address the SHA1
collision issue otherwise it won't be considered a viable release.

It seemed reasonable to pause for a bit while the SHA1 issue was worked
on, and Stefan2 has done some work on that. But currently it seems that
there is nobody doing any further work on it.

We could continue waiting, or maybe now we should resume the alpha
testing of the new features (conflict resolution), and let the SHA1 work
be fixed as and when someone is motivated to do so (before or after
1.10). It seems to me that sometimes in open source we need to get on
with doing what we can do, and just trust that someone else will do the
rest.

Thoughts?

- Julian
Reply | Threaded
Open this post in threaded view
|

Re: Continue the 1.10 alphas?

Johan Corveleyn-3
On Mon, May 1, 2017 at 10:54 PM, Julian Foad <[hidden email]> wrote:

> Just asking...
>
> As I understand it, we paused the issuing of 1.10 alpha releases because we
> considered that the final 1.10 release will need to address the SHA1
> collision issue otherwise it won't be considered a viable release.
>
> It seemed reasonable to pause for a bit while the SHA1 issue was worked on,
> and Stefan2 has done some work on that. But currently it seems that there is
> nobody doing any further work on it.
>
> We could continue waiting, or maybe now we should resume the alpha testing
> of the new features (conflict resolution), and let the SHA1 work be fixed as
> and when someone is motivated to do so (before or after 1.10). It seems to
> me that sometimes in open source we need to get on with doing what we can
> do, and just trust that someone else will do the rest.
>
> Thoughts?

+1.

I think this "pause-for-sha1-fixes" has now taken more than long
enough. We should try gathering our focus again on releasing 1.10, and
get the improvements it brings in the hands of users.

--
Johan
Reply | Threaded
Open this post in threaded view
|

Re: Continue the 1.10 alphas?

Stefan Sperling
On Mon, May 01, 2017 at 11:57:54PM +0200, Johan Corveleyn wrote:

> On Mon, May 1, 2017 at 10:54 PM, Julian Foad <[hidden email]> wrote:
> > Just asking...
> >
> > As I understand it, we paused the issuing of 1.10 alpha releases because we
> > considered that the final 1.10 release will need to address the SHA1
> > collision issue otherwise it won't be considered a viable release.
> >
> > It seemed reasonable to pause for a bit while the SHA1 issue was worked on,
> > and Stefan2 has done some work on that. But currently it seems that there is
> > nobody doing any further work on it.
> >
> > We could continue waiting, or maybe now we should resume the alpha testing
> > of the new features (conflict resolution), and let the SHA1 work be fixed as
> > and when someone is motivated to do so (before or after 1.10). It seems to
> > me that sometimes in open source we need to get on with doing what we can
> > do, and just trust that someone else will do the rest.
> >
> > Thoughts?
>
> +1.
>
> I think this "pause-for-sha1-fixes" has now taken more than long
> enough. We should try gathering our focus again on releasing 1.10, and
> get the improvements it brings in the hands of users.

I agree!

I was one of the people pushing for more SHA1 fixes but I did not find
time to do any of that work myself. I will not object if we decide that
these changes will have to happen later on. We do not seem to have enough
resources to push more SHA1 fixes through right now. So let's do whatever
else we can get done instead.
Reply | Threaded
Open this post in threaded view
|

Re: Continue the 1.10 alphas?

Jacek Materna
Great to hear on 1.10 move along.

On SHA1 I can help if you feel it may move things along in parallel - we ended up having to use the pre-commit hook for our customer base as per https://svn.apache.org/viewvc/subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh?view=markup&pathrev=1784336

best.
-jacek

On Tue, May 2, 2017 at 3:32 AM, Stefan Sperling <[hidden email]> wrote:
On Mon, May 01, 2017 at 11:57:54PM +0200, Johan Corveleyn wrote:
> On Mon, May 1, 2017 at 10:54 PM, Julian Foad <[hidden email]> wrote:
> > Just asking...
> >
> > As I understand it, we paused the issuing of 1.10 alpha releases because we
> > considered that the final 1.10 release will need to address the SHA1
> > collision issue otherwise it won't be considered a viable release.
> >
> > It seemed reasonable to pause for a bit while the SHA1 issue was worked on,
> > and Stefan2 has done some work on that. But currently it seems that there is
> > nobody doing any further work on it.
> >
> > We could continue waiting, or maybe now we should resume the alpha testing
> > of the new features (conflict resolution), and let the SHA1 work be fixed as
> > and when someone is motivated to do so (before or after 1.10). It seems to
> > me that sometimes in open source we need to get on with doing what we can
> > do, and just trust that someone else will do the rest.
> >
> > Thoughts?
>
> +1.
>
> I think this "pause-for-sha1-fixes" has now taken more than long
> enough. We should try gathering our focus again on releasing 1.10, and
> get the improvements it brings in the hands of users.

I agree!

I was one of the people pushing for more SHA1 fixes but I did not find
time to do any of that work myself. I will not object if we decide that
these changes will have to happen later on. We do not seem to have enough
resources to push more SHA1 fixes through right now. So let's do whatever
else we can get done instead.



--

Jacek Materna
CTO

Assembla
210-410-7661
Reply | Threaded
Open this post in threaded view
|

Re: Continue the 1.10 alphas?

Johan Corveleyn-3
On Tue, May 2, 2017 at 3:21 PM, Jacek Materna <[hidden email]> wrote:
> Great to hear on 1.10 move along.
>
> On SHA1 I can help if you feel it may move things along in parallel - we
> ended up having to use the pre-commit hook for our customer base as per
> https://svn.apache.org/viewvc/subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh?view=markup&pathrev=1784336

Yes, that pre-commit hook is certainly a good thing at the moment.
Maybe we can give it more visibility and make it more accessible when
releasing 1.10.

IIUC, after Stefan Fuhrman's recent commits trunk can now handle sha1
collisions in the back end, i.e. the repository can store both
colliding files correctly. So with 1.10 it would no longer be
necessary to protect the back-end with this hook. But the client-side
and 'svnadmin dump / load' still have problems. And even if those were
fixed, the hook would still be useful to support older clients from
your 1.10 server.

--
Johan
Reply | Threaded
Open this post in threaded view
|

Re: Continue the 1.10 alphas?

Jacek Materna
Agreed - let me looking in Stefan's mods - I can take a look at the client-side after that to see if I have a slot in the short-term.

What's a reasonable / agreed way of "giving something more visibility - re: hook" ?

-j 

On Tue, May 2, 2017 at 11:29 PM, Johan Corveleyn <[hidden email]> wrote:
On Tue, May 2, 2017 at 3:21 PM, Jacek Materna <[hidden email]> wrote:
> Great to hear on 1.10 move along.
>
> On SHA1 I can help if you feel it may move things along in parallel - we
> ended up having to use the pre-commit hook for our customer base as per
> https://svn.apache.org/viewvc/subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh?view=markup&pathrev=1784336

Yes, that pre-commit hook is certainly a good thing at the moment.
Maybe we can give it more visibility and make it more accessible when
releasing 1.10.

IIUC, after Stefan Fuhrman's recent commits trunk can now handle sha1
collisions in the back end, i.e. the repository can store both
colliding files correctly. So with 1.10 it would no longer be
necessary to protect the back-end with this hook. But the client-side
and 'svnadmin dump / load' still have problems. And even if those were
fixed, the hook would still be useful to support older clients from
your 1.10 server.

--
Johan



--

Jacek Materna
CTO

Assembla
210-410-7661
Reply | Threaded
Open this post in threaded view
|

Re: Continue the 1.10 alphas?

Johan Corveleyn-3
On Thu, May 4, 2017 at 12:34 PM, Jacek Materna <[hidden email]> wrote:
> Agreed - let me looking in Stefan's mods - I can take a look at the
> client-side after that to see if I have a slot in the short-term.

Okay. Concerning the working copy: IIUC if "fixing" means "making it
possible to store sha1 collisions in a working copy", it's more or
less impossible to fix this without a "format bump" of the working
copy format (which means the fix can't be backported to 1.9 or 1.8 --
and even for trunk / 1.10, a format bump is currently not planned).
But "fixing" can also mean "rejecting the collision in a graceful
way". That's probably much more realistic, and perhaps backportable.
Though I believe there are big questions about the performance impact
of any solution ...

Anyway, if you want to look into this, please start a new thread to
discuss your ideas first (we need to come to a consensus first about
*what behaviour we want*, and how this could be achieved).

> What's a reasonable / agreed way of "giving something more visibility - re:
> hook" ?

I guess the 1.10 release notes are an option. And our FAQ. Maybe a FAQ
should be the first priority, as this issue applies to all older
releases. Are you willing to draft something (either as a patch
against [1], or just as a written suggestion)? If so, please send it
in another thread too, so we can keep this thread focused on getting
1.10 alphas rolling again :-).

[1] http://svn.apache.org/repos/asf/subversion/site/publish/faq.html

Thanks,
--
Johan
Reply | Threaded
Open this post in threaded view
|

Re: Continue the 1.10 alphas?

Jacek Materna
Great! Will do - thanks for the guidance-

-j

On Thu, May 4, 2017 at 1:53 PM, Johan Corveleyn <[hidden email]> wrote:
On Thu, May 4, 2017 at 12:34 PM, Jacek Materna <[hidden email]> wrote:
> Agreed - let me looking in Stefan's mods - I can take a look at the
> client-side after that to see if I have a slot in the short-term.

Okay. Concerning the working copy: IIUC if "fixing" means "making it
possible to store sha1 collisions in a working copy", it's more or
less impossible to fix this without a "format bump" of the working
copy format (which means the fix can't be backported to 1.9 or 1.8 --
and even for trunk / 1.10, a format bump is currently not planned).
But "fixing" can also mean "rejecting the collision in a graceful
way". That's probably much more realistic, and perhaps backportable.
Though I believe there are big questions about the performance impact
of any solution ...

Anyway, if you want to look into this, please start a new thread to
discuss your ideas first (we need to come to a consensus first about
*what behaviour we want*, and how this could be achieved).

> What's a reasonable / agreed way of "giving something more visibility - re:
> hook" ?

I guess the 1.10 release notes are an option. And our FAQ. Maybe a FAQ
should be the first priority, as this issue applies to all older
releases. Are you willing to draft something (either as a patch
against [1], or just as a written suggestion)? If so, please send it
in another thread too, so we can keep this thread focused on getting
1.10 alphas rolling again :-).

[1] http://svn.apache.org/repos/asf/subversion/site/publish/faq.html

Thanks,
--
Johan



--

Jacek Materna
CTO

Assembla
210-410-7661