1 |
Ulrich Mueller: |
2 |
>>>>>> On Sat, 20 Sep 2014, hasufell wrote: |
3 |
> |
4 |
>>> Have these plans been abandoned, and are we now planning to |
5 |
>>> distribute the tree to users via Git, where everything goes through |
6 |
>>> the bottleneck of a SHA-1 sum, which was never intended as a |
7 |
>>> security feature? |
8 |
> |
9 |
>> This is a bug in git. Do you want us to wait until it is resolved? |
10 |
> |
11 |
> Not a bug. There are VCSs (like Subversion or Bazaar) that use simple |
12 |
> revision numbers to identify their commits. Git happens to use a hash, |
13 |
> which is perfectly fine as long as accidental collisions are unlikely. |
14 |
> Neither has to do anything with security, though. |
15 |
> |
16 |
|
17 |
Because there are other VCSs it is not a bug?? |
18 |
|
19 |
Of course it is a bug since it is in the gpg-signing chain and to use it |
20 |
in a practical way is very unlikely. |
21 |
|
22 |
So you are suggesting to not migrate at all or severely break the |
23 |
workflow because someone might forge _working code_ with a specific |
24 |
SHA1? There is no efficient algorithm for that afaik, those are just |
25 |
about finding _any_ collision and even then it takes considerable |
26 |
resources that can be used to break gentoo in much easier ways. |
27 |
|
28 |
If you argue there might be someone who already found out more efficient |
29 |
algorithms (and didn't publish them), then I hope you don't really |
30 |
believe that using SHA256 will protect us from him. |