| 1 |
On 09/16/2014 10:03 AM, Rich Freeman wrote: |
| 2 |
> |
| 3 |
> The gpg signature is on the entire contents of the "commit." However, |
| 4 |
> the contents of the commit do not include the files that are being |
| 5 |
> committed - it includes hashes of the parent commit, the commit |
| 6 |
> message, other headers, and the hash of the tree being committed, |
| 7 |
> which is sha1. That last hash is the only thing that ties the commit |
| 8 |
> to the files being committed, so you can modify the files all you like |
| 9 |
> as long as the sha1 is the same. |
| 10 |
> |
| 11 |
|
| 12 |
To put things in perspective, all I had to do was ask for commit access |
| 13 |
and somebody eventually gave it to me. We should worry about this when |
| 14 |
breaking SHA1 becomes less expensive than the ebuild quizzes. |
Archives