From: Jonathan Nieder <jrnieder@gmail.com>
To: Duy Nguyen <pclouds@gmail.com>
Cc: Nico Williams <nico@cryptonector.com>,
git discussion list <git@vger.kernel.org>,
"brian m. carlson" <sandals@crustytoothpaste.net>
Subject: Re: How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
Date: Mon, 24 Nov 2014 17:23:59 -0800 [thread overview]
Message-ID: <20141125012359.GR6527@google.com> (raw)
In-Reply-To: <CACsJy8BMNXUinfK=YcJPkx98tYv_e40N0_mqqnzMLxDN6hkruA@mail.gmail.com>
Duy Nguyen wrote:
> The biggest obstacle is the assumption of SHA-1 everywhere in the
> source code (e.g. assume the object name always takes 20 bytes). Brian
> started on cleaning that up [1] but I think it's stalled. Then we need
> to deal with upgrade path for SHA-1 repos.
I think the biggest obstacle is the upgrade path. ;-)
If the upgrade path is taken care of, I won't mind writing and
reviewing a coccinelle-generated patch to replace 20, 40, 21, 41, and
so on with appropriate constants. Or we can take the first 20 bytes
of a SHA-256, which is already supposed to have better security
properties than SHA-1.
Another obstacle is hard-coded SHA-1s in tests.
Thanks,
Jonathan
next prev parent reply other threads:[~2014-11-25 1:23 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-16 15:31 How safe are signed git tags? Only as safe as SHA-1 or somehow safer? Patrick Schleizer
2014-11-17 21:26 ` Jeff King
2014-11-21 23:01 ` Patrick Schleizer
2014-11-21 23:32 ` Jason Pyeron
2014-11-22 19:48 ` Jeff King
2014-11-22 19:43 ` Jeff King
2014-11-25 12:59 ` Fedor Brunner
2014-11-24 1:23 ` Duy Nguyen
2014-11-24 10:15 ` Michael J Gruber
2014-11-24 11:44 ` Duy Nguyen
2014-11-25 10:41 ` Duy Nguyen
2014-11-24 15:51 ` Jeff King
2014-11-24 18:14 ` Nico Williams
2014-11-25 1:16 ` Duy Nguyen
2014-11-25 1:23 ` Jonathan Nieder [this message]
2014-11-25 1:52 ` Duy Nguyen
2014-11-25 3:40 ` Stefan Beller
2014-11-25 3:47 ` Jeff King
2014-11-25 10:55 ` Duy Nguyen
2014-11-25 17:23 ` Junio C Hamano
2014-11-25 11:07 ` brian m. carlson
-- strict thread matches above, loose matches on Subject: below --
2014-11-24 0:52 bancfc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141125012359.GR6527@google.com \
--to=jrnieder@gmail.com \
--cc=git@vger.kernel.org \
--cc=nico@cryptonector.com \
--cc=pclouds@gmail.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.