[Cryptography] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers
phill at hallambaker.com
Thu Feb 23 20:29:34 EST 2017
On Thu, Feb 23, 2017 at 7:46 PM, John Levine <johnl at iecc.com> wrote:
> In article <20170223181409.GA6085 at savin.petertodd.org> you write:
> >Concretely, I could prepare a pair of files with the same SHA1 hash,
> >into account the header that Git prepends when hashing files.
> The Google blog post describes what they did, and mentioned that it
> used upward of 6500 CPU-years to create. So while I agree that the
> collision is real, and github should switch to better hashes ASAP, I'm
> not too worried about an immediate blizzard of fake source code.
Which means there is reason for concern and urgent efforts to fix Git.
There is no reason to panic. But we do need to act.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography