On Thu, Jun 23 2022, Stephen Smith wrote: > On Thursday, June 23, 2022 3:21:05 PM MST Ævar Arnfjörð Bjarmason wrote: >> Finally, I'd really like to thank you for all your work on SHA-256 so >> far, and really hope that none of what I've said here is discouraging in >> any way. This thread has received some attention outside this ML (on >> LWN), so I wanted to clarify some of the points above. Thanks! > > I had looked on LWN before I started the thread to see if anything was being > discussed and it wasn't. It wouldn't have helped, as I'm referring to LWN having written an article about this thread that you started :) It's part of an ongoing series they've had about Git's SHA-256 transition. Given how LWN makes money I don't know if it's OK to link to it, but it's easy enough to find and/or subscribe to LWN. > I tend to be an early adopter. I hadn't seen any new commits in the main git > repository in a while and was beginning to wonder if it had been abandoned. > This thread has convinced me that isn't the case, but the main person doing > the developing being busy. It was a good discussion, and I'm happy you started it. I think I've mentioned in some past discussions that it would be nice to have some "gitsecurity" user-facing documentation, and one thing such a thing could include is information that helped users to make an informed decision about how much (if at all) they should be worrying about issues arising from what hash they're using Git with. But some documentation on the questions raised here would also be good, i.e. "should I use the new hash?", which we could keep somewhat up-to-date, and e.g. talk about the approximate state of major third-party software, such as the forges. Currently the closest thing we have to that is the rather sparse and scary "THIS OPTION IS EXPERIMENTAL" in git-init(1) when talking about --object-format=sha256. > I too want to say thank you (Brian) for your hard work. And thank you for using & being interested in git, and contributing to the ML!
