On Thu, 23 Feb 2017, Junio C Hamano wrote:
On Thu, Feb 23, 2017 at 8:43 AM, Joey Hess <id@xxxxxxxxxx> wrote:
Since we now have collisions in valid PDF files, collisions in valid git
commit and tree objects are probably able to be constructed.
That may be true, but
https://public-inbox.org/git/Pine.LNX.4.58.0504291221250.18901@xxxxxxxxxxxxxxx/
it doesn't help that the Google page on this explicitly says that this shows
that it's possible to create two different git repos that have the same hash but
different contents.
https://shattered.it/
How is GIT affected?
GIT strongly relies on SHA-1 for the identification and integrity checking of
all file objects and commits. It is essentially possible to create two GIT
repositories with the same head commit hash and different contents, say a benign
source code and a backdoored one. An attacker could potentially selectively
serve either repository to targeted users. This will require attackers to
compute their own collision.
David Lang