Here’s a question, what happens if there’s a collision with the hashing scheme used by Unison. What would happen, and is this something we should worry about?
Currently, Unison is using SHA3-512. Assuming it’s a good hash function, the odds of a collision are astronomically low—2-512, or about 10-154. To put this number in perspective, here are some much more worrisome low-probability events:
All right, now that we’re purely in the realm of sci-fi, here’s what would actually happen in the event of a hash collision:
42rather than running them. The remote node could also suffer from cosmic-ray-induced memory corruption. If you are evaluating computations remotely at some node, you presumably have some level of trust that the remote node will do so faithfully, or are making some accomodations for the fact that you may not fully trust the remote node (perhaps you are running the same computation at a few remote nodes and checking that they all agree, or perhaps you have some way of checking that the result is “reasonable” without having to do the full computation yourself). But, if you did start to get suspicious that a node were failing to run your computations due to hash collisions, you could actually track this down. It would be annoying to do so, but certainly possible.
More realistically, suppose that due to weakness in the hash function a nefarious attacker manages to find a collision, a definition
evilFunction with the same hash as
innocuousFunction. They need to get it to your node somehow. However, they have no way of doing that! The remote evaluation protocol won’t accept a foreign hash if the local node already has that hash locally. And any unknown hashes accepted from foreign nodes are deemed ‘provisional’ and will be used only for evaluating the foreign computation, unless you explicitly decide to trust these hashes and promote them to be runnable in some other sandbox. The exact design of this is somewhat TBD, but the general idea is that you must opt in to each definition you want to trust. Foreign nodes cannot cause definitions to arrive on your node with a higher level of trust than you’ve explicitly assigned.