Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No it isn't. Please tell me how you achieve security without storing hashes in a DB? The default is only for those who'd prefer not to run their own DB. You are welcome to run your own DB if you want.

Why are you so upset that other people will be using a feature you obviously won't? Why are you upset when this leaks literally no info that your github repo doesn't already?



> No it isn't. Please tell me how you achieve security without storing hashes in a DB?

I bet the DB is small enough that you could default to just downloading it and syncing on your machine.


256 byte hash x 10000 packages x 10 package versions = 25mb

That's a conservative estimate, and if you try to sync only what's needed you're no better off then not-syncing.


Yeah, I've got 25 megs of disk space.

If you try syncing the whole thing incrementally (rsync style) all you leak is the frequency of your updates


> I bet

Care to maybe check real quick before making bets?


In the default configuration, the checksum database currently has 657 level-0 tiles. The raw log data associated with each level-0 tile seems to be about 50KB. You could store the entire current checksum database log in about 30 MiB. You could store the level-0 hash tiles in 5 MiB.

This makes sense right? Cargo, the rust package manager, does replicate the entire package index using git and it is ~250 MiB (~150MiB in .git/) (The cargo index stores much more metadata in a more verbose JSON format). It seems like a very reasonable bet considering prior art.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: