Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx> writes: > I wasn't able to find any on-list references to it being intentional, > but it appears that while we made the sha1collisiondetection variant > of SHA-1 the default in early 2017 we've never updated the OSX builds > to do likewise. > > I don't know what various git packages for OSX to, but our vanilla OSX > distribution definitely uses Apple Common Crypto, and won't detect the > https://shattered.io attack. > > This series changes that, and while doing so in 2/5 updates our > documentation and Makefile interface for the SHA-1 selection. Our > INSTALL file was still claiming we used OpenSSL's SHA-1 by default. > > Then since we'd made sha1collisiondetection the default we hadn't > changed the code's default fallback to be that, it was still > block-sha1. Now our fallback behavior is "error" instead, which makes > it less likely that we'll get some foot-gun like the "OSX not using > sha1collisiondetection" again. > > The 4/5 and 5/5 then remove the PPC_SHA1 implementation. I submitted > this before as [1], and the range-diff is to that submission (it > wasn't picked up). I think it makes sense as part of this general > SHA-1 cleanup. Thanks for this effort. I'd like to see somebody with "building Git for distributing to macOS" background to comment (I am assuming that the mailing list git-packagers@xxxxxxxxxxxxxxxx is the way to reach them).
