Hi, On Fri, 18 Aug 2006, Trekie wrote: > Johannes Schindelin wrote: > > SHA1 has been broken (collisions have been found): > > > > http://www.schneier.com/blog/archives/2005/02/sha1_broken.html > > I don't think you're right. That blog just says, that Wang can find > > "collisions in the the full SHA-1 in 2**69 hash operations, much less > than the brute-force attack of 2**80 operations based on the hash length." True. I have not heard of a collision either. > The point is why use MD5 if anyone can compute a collision? It does not suffice to generate collisions to make a hash unusable for our purposes: you would have to find a way to produce another text for a _given_ hash. Plus, this text would not only have to look meaningful, but compile. And preferrably introduce a back door. Granted, once people find out how to generate another text, they can try to "optimize" some block between "/*" and "*/", so that the hash stays the same. But AFAICT none of the breaks of SHA1 or MD5 point into such a direction. Yet. But _even if_ somebody succeeds in all that, that somebody has to convince _you_ to pull. And if you already have that object (the "good" version), it will not get overwritten. Ciao, Dscho - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html