Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx> writes: > The reality of the current situation is that it's largely mitigated in > practice because: > > a) it's hard to hand someone a crafted blob to begin with for reasons > that have nothing to do with SHA-1 (they'll go "wtf is this garbage?") > > b) even in that case it's *very* hard to come up with two colliding > blobs that are *useful* for some nefarious purpose, e.g. a program A > that looks normal being replaced by an evil program B with the same > SHA-1. Thanks. That's a nice rephrasing of http://public-inbox.org/git/Pine.LNX.4.58.0504291221250.18901%40ppc970.osdl.org/ where Linus explains SHA-1 is not the security, and the real security is in distribution. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html