On Thu, Aug 31, 2023 at 11:19:14PM +0000, brian m. carlson wrote: > On 2023-08-31 at 12:47:19, Bagas Sanjaya wrote: > > Hi, > > > > I built Git v2.42.0 on Debian testing, linked with OpenSSL (v3.0.10 from > > distribution) with Makefile knob `OPENSSL_SHA1=YesPlease > > OPENSSL_SHA256=YesPlease`. I tried to shallow clone git.git repository: > > I should point out that using OpenSSL's SHA-1 support is insecure > because it doesn't check for collisions. As a practical matter, no > distro builds that way, and if you distributed that build, it would > probably qualify for a CVE. > > However, OPENSSL_SHA256 being set is fine for a local build or a build > where you're not distributing OpenSSL itself. Thanks for the disclaimer. I did such build for myself since the distro version always lagging. -- An old man doll... just what I always wanted! - Clara
Attachment:
signature.asc
Description: PGP signature
