Hi Jonathan, On Fri, 2 Jun 2017, Jonathan Nieder wrote: > Johannes Schindelin wrote: > > On Thu, 1 Jun 2017, Stefan Beller wrote: > > >> We had a discussion off list how much of the test suite is in bad shape, > >> and "$ git grep ^index" points out a lot of places as well. > > > > Maybe we should call out a specific month (or even a longer period) during > > which we try to push toward that new hash function, and focus more on > > those tasks (and on critical bug fixes, if any) than anything else. > > Thanks for offering. ;-) Undoubtedly my lack of command of the English language is to blame for this misunderstanding. By no means did I try to indicate that I am ready to accept the responsibility of working toward a new hash dumped on me. What I wanted to suggest instead was that the current direction looks very unfocused to me, and that I do not see anything going forward in a coherent manner. Hence my suggestion to make it public known that a certain time period would be dedicated (and contributions would be highly encouraged) to work on replacing SHA-1 by something else. But: 1) this cannot be a one-person effort, it is too large 2) it cannot even be as uncoordinated an effort as it is now, because that leads only to bikeshedding instead of progress 3) the only person who could make that call is Junio 4) we still have the problem that there is no cryptography expert among those who in the Git project are listened to > How did you get the impression that their opinion had no impact? We have > been getting feedback about the choice of hash function both on and off > list from a variety of people, some indisputably security experts. > Sometimes the best one can do is to just listen. I did get the impression by talking at length to a cryptography expert who successfully resisted any suggestions to get involved in the Git mailing list. There were also accounts floating around on Twitter that a certain cryptography expert who dared to mention already back in 2005 how dangerous it would be to hardcode SHA-1 into Git was essentially shown the finger, and I cannot fault him for essentially saying "I told you so" publicly. In my mind, it would have made sense to ask well-respected cryptographers about their opinions and then try to figure out a consensus among them (as opposed to what I saw so far, a lot of enthusastic talk by developers with little standing in the cryptography community, mostly revolving around hash size and speed as opposed to security). And then try to implement that consensus in Git. Given my recent success rate with SHA-1 related concerns, I am unfortunately not the person who can bring that about. But maybe you are. Ciao, Dscho