On Dec 29, 2007 3:27 PM, J.C. Pizarro <jcpiza@xxxxxxxxx> wrote: > Dear Linus Torvalds, > > What do you think to do when your git has to change from SHA-1 to SHA-2 > because of the weaker collision-resistance of SHA-1 in the next years? > > (e.g. from an damn developer trying to commit a collisioned-SHA-1 file) It's a non-issue. The closest-to-practical attack method on SHA-1 is a collision-finding attack, not a second pre-image attack, which means you can find two messages with the same hash. As far as I know, there's no significant weakness known for finding a pre-image, which would be the most practical way of weakening Git's "security" via SHA-1 substitution. Regardless, the use of SHA-1 in Git isn't primarily for security, though it is a nice side-effect. The SHA-1 is there for reliability in addressing and as a good hash. Dave. - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
