On Fri, Jan 13, 2023 at 05:44:03PM +0100, Hans Petter Selasky wrote: > By using a cryptographic hash algorithm, the goal is to avoid tampering you > say, like tampering on the internet, ISP, cache node and so on. To me that's > clearly a zero-trust thought. You don't trust the guy(s) that put down the > infrastructure, neither those that provide that local cache for the GIT > repository, only the master repository. SHA-1 gives a certain confidence, > that if you checkout XXXXXXX, then you get a likely expected result with > reduced possibility of tampering. > > Anyone could intercept a CRC protected blob and re-compute the hash and send > it on. But not a SHA-1 one. > > I on the other hand trust the guys that put down the internet and are > providing the cache nodes for GIT. I admit, I never trust the "guys who put down the internet," so that's a very scary scenario to me (and I would say to pretty much everyone else on this list). > It's two different world views. Indeed, werenotalike.gif :) -K
