Closed alexander-akait closed 4 years ago
Merging #369 into master will not change coverage by
%
. The diff coverage is100.00%
.
@@ Coverage Diff @@
## master #369 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 2 2
Lines 29 29
Branches 13 12 -1
=========================================
Hits 29 29
Impacted Files | Coverage Δ | |
---|---|---|
src/index.js | 100.00% <100.00%> (ø) |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update e1fe27c...c69953c. Read the comment docs.
May I ask why the default has been switched to MD4? Referring Wikipedia, the risk of a collision is much higher than for MD5 hashes.
I assume it can't be the speed on modern computers.
@jens-duttke for perf reasons, webpack also uses md4 for hashing
risk of a collision
No, not in out cases
@jens-duttke for perf reasons, webpack also uses md4 for hashing
risk of a collision
No, not in out cases
Can you explain why please?
when you retire an outdated hash algo due security concerns, then this security concern would be also the best reason to switch to sha256 algo or better immeditaly. In contrast, I cant see the reason for md4 at all.
btw, md5 is deprecated by experts since Dobbertin, 1996
And wrt md4, quote wikipedia:
MD5 is one in a series of message digest algorithms designed by Professor Ronald Rivest of MIT (Rivest, 1992). When analytic work indicated that MD5's predecessor MD4 was likely to be insecure, Rivest designed MD5 in 1991 as a secure replacement. (Hans Dobbertin did indeed later find weaknesses in MD4.)
Will CRC-1
be the next perf enhancement for webpack?
I'd assume what @evilebottnawi meant is that since the hash is used for caching purposes (not cryptographic purposes) it doesn't matter if there's a high collision risk, because the consequences in the event of a collision are close to nil.
However a non-cryptographic hash function such as xxHash would be much better suited to this use-case than an obsolete cryptographic hashing function, and would most likely be even faster.
It would be nice to get some insight into the reasoning behind this change from the maintainer themselves.
I'd assume what @evilebottnawi meant is that since the hash is used for caching purposes (not cryptographic purposes)
Yes
However a non-cryptographic hash function such as xxHash would be much better suited to this use-case than an obsolete cryptographic hashing function, and would most likely be even faster.
yes, but we can't use it because it is require library compilation and can incompatibility with some platforms
Why md4
?
xxHash
can be problematicmd4
and md5
have collisions (therefore there is no point in arguing)md4
is faster than md5
So using md4
is best solution right now
This change is marked as breaking change. How to adjust file-loader to comply with this change?
@tomaszs I do not know the intention of the library authors for sure, but I guess they chose to bump the major version, because the build result will be different and so all caches will be invalidated. So I think there is no change necessary and you can simply update (this is what I did).
BREAKING CHANGE: use
md4
by default for hashingThis PR contains a:
Motivation / Use-Case
Use
md4
by default for perf reasonsBreaking Changes
Yes
Additional Info
No