Junio C Hamano <gitster@xxxxxxxxx> writes:
> The hash that names a packfile is constructed by sorting all the
> names of the objects contained in the packfile and running SHA-1
> hash over it.
Sorry, but I need to make a correction here.
This "SHA-1 over sorted object names" is a description of an ancient
behaviour before 1190a1ac ("pack-objects: name pack files after
trailer hash", 2013-12-05) happened. These days the pack name is
the same as the csum-file checksum of the .pack contents.
This however does not change the fact that the site that feeds us a
packfile is in control of the hash, hence the name we give to the
resulting packfile. Unlike the use of csum-file for the trailing
hash for the index file, which is only to protect against bit
flipping, "SHA-1 over .pack contents" done here is used to come up
with a unique name used for identification and deduplication (of the
packfile, not of individual objects), and the need for protection
against collision attack attempts does not change between the
implementation before 1190a1ac and after that commit.