nietaki
commented
6 years ago Thanks for the suggestion!
I like this idea, especially since it would remove hoplon's dependency on diff. I had a quick look at how Merkle-trees are used in Git and it looks interesting and viable. There's a handful of things holding me back from jumping on it though.
- I like the idea of hoplon being simple and having as few dependencies as possible. To go the Merkle-tree route we'd either need to take a dependency for it or write all the relevant code inside hoplon itself.
- From my experiments with hoplon so far it doesn't seem like the time it takes to diff is the deciding factor in the whole operation. For example, for Ecto, which is one of the heavier dependencies you can take on, it's basically instant on my machine. The time it takes to make all the network calls is much more significant. I'm also curious how the overhead from calculating the hashes would compare to the overhead of using
diff. - as you mentioned SHA-1 is broken, so it would potentially give people one more attack vector compared to naively comparing the files. Keeping it simple might actually be somewhat of a benefit here.
I'll have a closer look at this idea in the future, but as I see it now, I don't think the benefits are strong enough. I'm happy to be proved wrong though :)
hauleth
Git internally is just a Merkle-tree so there is no need for diff as you can just compute Git-compatible tree and compare it with the one stored in repo. In theory it can end with differences (as SHA-1 is broken), but it would allow to speedup first check and reject obvious invalid repos.