mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

devblog

Browse source
This commit is contained in:
Joey Hess 2017-02-27 16:11:35 -04:00
parent e53070c1ff
commit b78703ca4e
No known key found for this signature in database
GPG key ID: C910D9222512E3C7
1 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
doc/devblog/day_451__annex.securehashesonly.mdwn Normal file
View file

@ -0,0 +1,16 @@
The new annex.securehashesonly config setting prevents annexed content
that does not use a cryptographically secure hash from being downloaded or
otherwise added to a repository.
Using that and signed commits prevents SHA1 collisions from causing
problems with annexed files. See [[tips/using_signed_git_commits]] for
details about how to use it, and why I believe it makes git-annex
safe despite git's vulnerability to SHA1 collisions in general.
If you are using git-annex to publish binary files in a repository,
you should follow the instructions in [[tips/using_signed_git_commits]].
If you're using git to publish binary files, you can improve the security
of your repository by switchingto git-annex and signed commits.
Today's work was sponsored by Riku Voipio.