| 1 |
Ulrich Mueller: |
| 2 |
>>>>>> On Sat, 20 Sep 2014, hasufell wrote: |
| 3 |
> |
| 4 |
>>> Have these plans been abandoned, and are we now planning to |
| 5 |
>>> distribute the tree to users via Git, where everything goes through |
| 6 |
>>> the bottleneck of a SHA-1 sum, which was never intended as a |
| 7 |
>>> security feature? |
| 8 |
> |
| 9 |
>> This is a bug in git. Do you want us to wait until it is resolved? |
| 10 |
> |
| 11 |
> Not a bug. There are VCSs (like Subversion or Bazaar) that use simple |
| 12 |
> revision numbers to identify their commits. Git happens to use a hash, |
| 13 |
> which is perfectly fine as long as accidental collisions are unlikely. |
| 14 |
> Neither has to do anything with security, though. |
| 15 |
> |
| 16 |
|
| 17 |
Because there are other VCSs it is not a bug?? |
| 18 |
|
| 19 |
Of course it is a bug since it is in the gpg-signing chain and to use it |
| 20 |
in a practical way is very unlikely. |
| 21 |
|
| 22 |
So you are suggesting to not migrate at all or severely break the |
| 23 |
workflow because someone might forge _working code_ with a specific |
| 24 |
SHA1? There is no efficient algorithm for that afaik, those are just |
| 25 |
about finding _any_ collision and even then it takes considerable |
| 26 |
resources that can be used to break gentoo in much easier ways. |
| 27 |
|
| 28 |
If you argue there might be someone who already found out more efficient |
| 29 |
algorithms (and didn't publish them), then I hope you don't really |
| 30 |
believe that using SHA256 will protect us from him. |
Archives