On 2024-10-02 at 23:26:18, Jeff King wrote: > This is a regression in v2.47.0-rc0. As mentioned above, I kind of doubt > anybody will hit it in practice (I only did because I was trying to do > some timing tests between the fast and dc variants). And it is almost > tempting to leave it as a wake-up call for anybody who is still not > using a collision-detecting sha1. ;) I think this is a fine fix for 2.47. I have a branch on my remote (sha1-dc-only), which I'll send out after it passes CI (probably later this week), that removes support for the everything but SHA-1-DC (except for the unsafe code). I don't think there's a reasonable configuration where people can use Git with other SHA-1 code except in extremely limited circumstances we shouldn't have to maintain code for. The code is open source, so people who really must have maximum performance with all of the vulnerabilities can patch it back in themselves. -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
