On Tue, Oct 16, 2012 at 11:51 AM, Jeff King <peff@xxxxxxxx> wrote: >> Its worth nothing that a SHA-1 collision can be identified at the >> server because the server performs a byte-for-byte compare of both >> copies of the object to make sure they match exactly in every way. Its >> not fast, but its safe. :-) > > Do we? I thought early versions of git did that, but we did not > double-check collisions any more for performance reasons. You don't > happen to remember where that code is, do you (not that it really > matters, but I am just curious)? We do. I touched that sha-1 collision code last time I updated index-pack, to support large blobs. We only do that when we receive an object that we already have, which should not happen often unless you're under attack, so little performance impact normally. Search "collision" in index-pack.c -- Duy -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html