On Tue, Jun 09, 2009 at 03:50:35AM +0200, Robert Buchholz wrote:
> > I only stated that we need to offer GPG signing of commits. I did NOT
> > specify the content of commits, other than noting that the commit
> > message and the content needs to be signed together.
> I don't think I understood what you meant to say, sorry. As I understand 
> the current proposal, it would be over the SHA-1 of the objects, the 
> parent and the commit message.
That's what I'd like it to be over yes.

> I have not seen any statements that would indicate they intended to 
> switch ever, do you have a reference?
I'll dig around for it, it was just in reading the list directly.
There is minimal value in switching to even SHA-512 right now for Git.
The SHA-1 attacks have been extended to the entire SHA family.

> I only found discussions as recent as April 2008. If it will be
> possible to use one (at that time) stronger hash function, my argument
> is defeated. I wanted to point out that right now they only support
> one function that is increasingly weakened, and I have the feeling
> upstream will only act once collisions become practical, which is
> -IMHO- too late.
We're at their mercy already. If you can attack SHA1 and choose the hash
of your malicious content given the only restriction as the file size,
you can insert a file anywhere in the repository already.

All of the attacks thusfar have been chosen plaintext and preimage
attacks. Current state of the art for SHA-1 is 2^52, as announced here:
http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
(and I think SHA-512 is around 2^140, weaker than even bruteforce
against SHA-1).

I'd be far more concerned about a user introducing a chosen plaintext
that he already has the attack against.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85