[Cryptography] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers

Theodore Ts'o tytso at mit.edu
Fri Feb 24 09:54:49 EST 2017

There are patches being discussed on the git mailing list to integrate
in the collision detector code which Google made available in the blog
post[1].  That will protect against this specific attack in question,
although granted there may be other attacks that have been or will be
developed against SHA1.

Work to allow git to support an alternate crypto checksum is on-going.
Work to convert to use "struct object_id" everywhree is ongoing, and
is about 40% done[2].

[1] https://public-inbox.org/git/20170223224302.joti4zqucme3vqr2@sigill.intra.peff.net/
[2] http://public-inbox.org/git/20170217214513.giua5ksuiqqs2laj@genre.crustytoothpaste.net/

						- Ted

More information about the cryptography mailing list