1 |
On 09/16/2014 10:03 AM, Rich Freeman wrote: |
2 |
> |
3 |
> The gpg signature is on the entire contents of the "commit." However, |
4 |
> the contents of the commit do not include the files that are being |
5 |
> committed - it includes hashes of the parent commit, the commit |
6 |
> message, other headers, and the hash of the tree being committed, |
7 |
> which is sha1. That last hash is the only thing that ties the commit |
8 |
> to the files being committed, so you can modify the files all you like |
9 |
> as long as the sha1 is the same. |
10 |
> |
11 |
|
12 |
To put things in perspective, all I had to do was ask for commit access |
13 |
and somebody eventually gave it to me. We should worry about this when |
14 |
breaking SHA1 becomes less expensive than the ebuild quizzes. |