On Mon, Jun 20 2022, Stephen Smith wrote: > What is the current status of the SHA-1 to SHA-256 transition? Is the > transition far enough along that users should start changing over to the new > format? Just my 0.02, not the official project line or anything: I wouldn't recommend that anyone use it for anything serious at the moment, as far as I can tell the only users (if any) are currently (some) people work on git itself. The status of it is, I think it's fair to say, that it /should/ work 100% (or at least 99.99%?) as far as git itself is concerned. I.e. you can "init" a SHA-256 repository, all our in-repo tooling etc. will work with it. We run full CI tests with a SHA-256 test suite, and it's passing. But the reason I'd still say "no" on the technical/UX side is: * The inter-op between SHA-256 and SHA-1 repositories is still nonexistent, except for a one-off import. I.e. we don't have any graceful way to migrate an existing repository. * For new repositories I think you'll probably want to eventually push it to one of the online git hosting providers, none of which (as far as I'm aware) support SHA-256 repos. * Even if not, any local git tooling that's not part of git.git is likely to break, often for trivial reasons like expecting SHA-1 sized hashes in the output, but if you start using it for your repositories and use such tools you're very likely to be the first person to run into bugs in those areas. But more importantly (and note that these views are definitely *not* shared by some other project members, so take it with a grain of salt): There just isn't any compelling selling point to migrate to SHA-256 in the near or foreseeable future for a given individual user of git. The reason we started the SHA-1 -> $newhash (it wasn't known that it would be SHA-256 at the time) was in response to https://shattered.io; Although it had been discussed before, e.g. the thread starting at [1] in 2012. We've since migrated our default hash function from SHA-1 to SHA-1DC (except on vanilla OSX, see [2]). It's a variant SHA-1 that detects the SHAttered attack implemented by the same researchers. I'm not aware of a current viable SHA-1 collision against the variant of SHA-1 that we actually use these days. But even assuming for the sake of argument that we were using a much weaker and easier to break hash (say MD4 or MD5) most users still wouldn't have much or anything to worry about in practice. Discovering a hash collision is only the first step in attacking a Git repository. This aspect has been discussed many times on-list, but e.g. [3] is one such thread. The above is really *not* meant to poo-poo the whole notion of switching to a new hash. We're making good progress on it, although I think the really hard part UX-wise is left (online migration). Likewise I'd be really surprised if given the progress of that work the average Git user isn't going to be using not-SHA-1 with Git in 15-20 years, of it's even still around at that time as a relevant VCS. But should even advanced git users be spending time on migrating their data at this point? No, I don't think so given all of the above, and I really think we should carefully consider all of the trade-offs involved before recommending that the average user of git migrate over. 1. https://lore.kernel.org/git/CA+EOSBncr=4a4d8n9xS4FNehyebpmX8JiUwCsXD47EQDE+DiUQ@xxxxxxxxxxxxxx/ 2. https://lore.kernel.org/git/cover-0.5-00000000000-20220422T094624Z-avarab@xxxxxxxxx/ 3. https://lore.kernel.org/git/CACBZZX65Kbp8N9X9UtBfJca7U1T0m-VtKZeKM5q9mhyCR7dwGg@xxxxxxxxxxxxxx/
