mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

add para

Browse source
This commit is contained in:
Joey Hess 2017-02-23 19:06:06 -04:00
parent 3afc7d83f2
commit 5a88cab005
No known key found for this signature in database
GPG key ID: C910D9222512E3C7
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
doc/devblog/day_449__SHA1_break_day.mdwn
View file

@ -7,6 +7,13 @@ very wealthy attackers. But we're well past the time when it seemed ok that git
uses SHA1. If this gets improved into a chosen-prefix collision uses SHA1. If this gets improved into a chosen-prefix collision
attack, git will start to be rather insecure. attack, git will start to be rather insecure.
Projects that store binary files in git, that might be worth $100k for an
attacker to backdoor **should** be concerned by the SHA1 collisions.
A good example of such a project is
<git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git>.
Using git-annex (with a suitable backend like SHA256) and signed commits
together is a good way to secure such repositories.
git-annex's SHA1 backend is already documented as only being git-annex's SHA1 backend is already documented as only being
"for those who want a checksum but are not concerned about "for those who want a checksum but are not concerned about
security", so no changes needed here. security", so no changes needed here.