12 lines
617 B
Markdown
12 lines
617 B
Markdown
[The first SHA1 collision](https://shattered.io/) was announced today,
|
|
produced by an identical-prefix collision attack.
|
|
|
|
After looking into it all day, it does not appear to impact git's security
|
|
immediately, except for targeted attacks against specific projects by
|
|
very wealthy attackers. But we're well past the time when it seemed ok that git
|
|
uses SHA1. If this gets improved into a chosen-prefix collision
|
|
attack, git will start to be rather insecure.
|
|
|
|
git-annex's SHA1 backend is already documented as only being
|
|
"for those who want a checksum but are not concerned about
|
|
security", so no changes needed here.
|