On Mon, 28 Apr 2008, Henrik Austad wrote: > Hi list! > > As far as I have gathered, the SHA-1-sum is used as a identifier for commits, > and that is the primary reason for using sha1. However, several places > (including the google tech-talk featuring Linus himself) states that the id's > are cryptographically secure. > > As discussed in [1], SHA-1 is not as secure as it once was (and this was in > 2005), and I'm wondering - are there any plans for migrating to another > hash-algorithm? I.e. SHA-2, whirlpool.. No. The cryptographic security we care about is that it's impractical to come up with another set of content that hashes to the same value as a given set of content. The known attacks on SHA-1 (and more broken earlier hashes in the same general class) only allow the attacker to produce two files that will collide. Now, it's true that this would allow somebody to produce a commit where some people see the "good" blob and some people see the "evil" blob, but (a) the "good" blob contains some large chunk of random data, which is a major red flag by itself, and (b) all of these people have to be taking data from the attacker. If somebody gives you some source, and it's got some large random chunk in it, and the behavior of the object depends on the content of this chunk, and it's unspecified where this chunk comes from, you should be aware that they might be able to swap this chunk for a different chunk. But such a file is pretty blatantly malicious anyway. -Daniel *This .sig left intentionally blank* -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
