Re: How safe are signed git tags? Only as safe as SHA-1 or somehow safer?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 25, 2014 at 08:16:15AM +0700, Duy Nguyen wrote:
> On Tue, Nov 25, 2014 at 1:14 AM, Nico Williams <nico@xxxxxxxxxxxxxxxx> wrote:
> > Is there a plan for upgrading to a better hash function in the future?
> >  (E.g., should it become an urgent need.)
> >
> > What are the roadblocks to adoption of a replacement hash function?
> > Just documenting this would go a long way towards making it possible
> > to upgrade some day.
> 
> The biggest obstacle is the assumption of SHA-1 everywhere in the
> source code (e.g. assume the object name always takes 20 bytes). Brian
> started on cleaning that up [1] but I think it's stalled. Then we need
> to deal with upgrade path for SHA-1 repos.

Yes, it is stalled.  It ended up being a Herculean task, so when I pick
up the patch series again, I'll probably submit changes in chunks to
avoid the huge amount of code churn required.  I feel the list and Junio
in particular will appreciate that more.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]