[Cryptography] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers

[William Muriithi]

Hi Peter,

> I personally had to tell a client recently that they could not use Git for a
> proposed auditing application as the data they were committing to in their Git
> repo would be sufficiently valuable as to make creating a hash collission
> worthwhile. Specifically, this was a case where you might want to commit to two
> contradictory audit records, as you wouldn't know in advance *which* of the two
> records would be the one you'd want to give to the auditors.
>
> In that case, I assumed an attack would cost about $100k
>
I agree with you here. We are looking for SCM to replace subversion
and between perforce and git, git do far better job as far as security
is concerned.

What are you recommending to your clients?  Would be grateful for that
info as we evaluate it usage.

Regards,
William