https://shattered.io/static/shattered.pdf https://freedom-to-tinker.com/2017/02/23/rip-sha-1/ IIRC someone has been working on parameterizing git's SHA1 assumptions so a repository could eventually use a more secure hash. How far has that gotten? There are still many "40" constants in git.git HEAD. In the meantime, git commit -S, and checks that commits are signed, seems like the only way to mitigate against attacks such as the ones described in the threads at https://joeyh.name/blog/sha-1/ and https://joeyh.name/blog/entry/size_of_the_git_sha1_collision_attack_surface/ Since we now have collisions in valid PDF files, collisions in valid git commit and tree objects are probably able to be constructed. -- see shy jo
Attachment:
signature.asc
Description: PGP signature