> Colliding objects can never enter a repository. Git is lazy and will reuse the > already existing colliding object with the same name instead. > I think you are missing the point. One of the pluses behind originally using SHA-1 and the signed tags is that the system as a whole is cryptographically secure. You can verify from the public key of whoever made the tag that yes, this really is the source and history they tagged. Not only can DNS attacks be made, fooling users into thinking that they are really connecting to kernel.org, or whatever else server they expect to be connecting to, but also, the server itself may be hacked and objects replaced. I'm just not sure how much time it would take to find a collision. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
