Apologies if this has been asked before, but the closest thing I could find was this thread: http://public-inbox.org/git/Pine.LNX.4.62.0504160519330.21837@xxxxxxxxxxxxxxxxxxx/ That thread devolved into a discussion of the security of different hashes and didn’t answer my question. I want to know when and where git *guarantees* that the snapshot I have checked out has the checksum that git says it does, or if it does at all. The use case for this is for package managers. I work on Spack (http://github.com/spack/spack if you’re curious) and we download sources from tarballs and git repos (like many similar tools). For tarballs we require a sha256, and we use it to verify the tarball after download. For git repos, we would like to require a commit sha1, provided that it’s basically as secure as downloading a tarball and checking it against a known sha1. So, if I `git clone` something, is the commit sha1 actually verified? Thanks, -Todd PS: I know that sha1 has been declared “risky” by NIST and that folks should move away from it, and please be assured that we’re using sha256’s everywhere else. Here I really just want to know whether cloning a git repo at a particular commit is as secure as downloading a tarball and checking it against a sha1, not whether or not sha1 is secure.
