1 |
On 11/04/2015 05:33 PM, Chí-Thanh Christopher Nguyễn wrote: |
2 |
> hasufell schrieb: |
3 |
>> On 11/04/2015 09:56 AM, Andrew Savchenko wrote: |
4 |
>>> No, it is not. The whole git tree is insecure and no better than |
5 |
>>> rsync or CVS in terms of data security because SHA1 is vulnerable. |
6 |
>>> |
7 |
>> Another one who is confusing _any_ collision with _preimage attack_ ;) |
8 |
> |
9 |
> While Andrew's view is very pessimistic here, yours is decidedly |
10 |
> optimistic. |
11 |
> |
12 |
> There is no known computationally feasible preimage attack against MD5, |
13 |
> still that hash function is broken in serious ways with attacks already |
14 |
> having real-world consequences. |
15 |
> |
16 |
> It would be quite naïve to assume that SHA1 will remain secure until a |
17 |
> preimage attack is found. |
18 |
> |
19 |
|
20 |
I didn't. Numerous crypto-analysts have already expressed that SHA-1 is |
21 |
not future-proof. |
22 |
|
23 |
However, saying "it is vulnerable" is simply exaggeration and suggests |
24 |
people should do the math before posting such things. |
25 |
|
26 |
We already had that discussion before the git migration and it is quite |
27 |
pointless. If you want to improve the situation, go talk to git upstream |
28 |
and send patches. |