1 |
>>>>> On Sat, 20 Sep 2014, hasufell wrote: |
2 |
|
3 |
>>> This is a bug in git. Do you want us to wait until it is resolved? |
4 |
>> |
5 |
>> Not a bug. There are VCSs (like Subversion or Bazaar) that use simple |
6 |
>> revision numbers to identify their commits. Git happens to use a hash, |
7 |
>> which is perfectly fine as long as accidental collisions are unlikely. |
8 |
>> Neither has to do anything with security, though. |
9 |
|
10 |
> Because there are other VCSs it is not a bug?? |
11 |
|
12 |
No, but with any other VCS we wouldn't have this discussion. Git using |
13 |
SHA-1 obscures the fact that an additional security layer is needed. |
14 |
This can be either a secure channel for accessing the repository |
15 |
(developers pushing their commits to it), or signed Manifests that |
16 |
ensure integrity of the tree distributed to users. |
17 |
|
18 |
> Of course it is a bug since it is in the gpg-signing chain and to |
19 |
> use it in a practical way is very unlikely. |
20 |
|
21 |
> So you are suggesting to not migrate at all or severely break the |
22 |
> workflow because someone might forge _working code_ with a specific |
23 |
> SHA1? There is no efficient algorithm for that afaik, those are just |
24 |
> about finding _any_ collision and even then it takes considerable |
25 |
> resources that can be used to break gentoo in much easier ways. |
26 |
|
27 |
Weakness of SHA-1 is discussed since several years, and it is |
28 |
generally recommended that one should slowly move away from it. |
29 |
Therefore I would find it strange if we (in 2014!) deployed a system |
30 |
relying on it, while in our present Manifest files SHA-1 was already |
31 |
abandoned long time ago, in favour of more secure hashes. It looks |
32 |
like a move in the wrong direction. |
33 |
|
34 |
Ulrich |