Hello, On Fri, Jan 13, 2023 at 02:23:59PM +0100, Hans Petter Selasky wrote: > Hi, > > Currently GIT only supports cryptographic hashes for its commit tags. > > That means: > > 1) It's very difficult to edit the history without also recomputing the hash > tags for all commits after the needed change-point, which then means > references to a repository is broken. That also makes it difficult to alter the repository intentionally without anyone noticing. With SHA1 being somewhat weak it may be possible to alter repository content although I am not aware of any practical attacks shown so far. For that reason using stronger hashes is planned in the future. > 2) Only a single bit error in the main repository can break everything! > > 3) Illicit contents may be present in binary blobs, which in the future may > be need to be removed without warrant and the only way to do that is by > rebasing and force pushing, which will break "everything". It can be > everything from child-porn to expired distribution licenses. It's good to avoid spam getting into your repository. If you really need to alter it long into the past you still can. Everyone will notice that you did, and that's an intentional feature. In some situations it is understandably an annoyance but there's so much you can do. At least tags should remain stable. > Many people think that bit errors cannot happen because the memory uses ECC > and the file system uses cryptographic hashes to verify the integrity of the > data. But what many people forget about is that when copying data from > memory to disk, typically using a DMA channel data is copied w/o any kind of > integrity protection, because the integrity protection is not end-to-end. > The integrity protection is only per-link. So long as all links have integrity protection it's end-to-end. Integrity checks for CPU chaches, buses, and IO protocols do exist. It's not that errors cannot happen, they are very unlikely. In the very rare case that such error happens so long as non-corrupted version of the object can be supplied by anyone who has a copy of the repository it is recoverable. For old objects this should be your backup system. For new objects the worst case is that the history is rolled back so the missing object is not needed. Thanks Michal
