Re: What about SHA-1 collisions?

[John McKown <john.mckown@healthmarkets.com>]

Josef Wolf <jw <at> raven.inka.de> writes:

> 
> Hello,
> 
> we all know, the probability for SHA-1 collisions is very, very low, almost
> non-existant. But we also know that they are not impossible.
> 
> Just for curiosity: what would happen if such a collision would occur within
> one repository?
> 

In a sense, this cannot happen. Suppose you have a new working directory.
You do a "git init" to initialize it for use by git. You then copy in a
bunch of data from elsewhere. By chance, files "a" and "b" have different
content, but the same sha1 (they collide). The "git add ." command is
basically a short cut for doing something like:
for i in *;do git add $i;done
That is, it seems to add each file, one at a time in some order. Suppose
it creates the sha1 for "a" first. It then creates the appropriate
"stuff" for file "a" in the .git subdirectory, based on the sha1 value. Now,
it gets around to processing "b". It gets the sha1 value of b and finds
that it already has an entry for that value. At that point, the "git add" thinks
"Oh, I've already processed this file. No need to do anything!" So the contents
of file "b" are not saved anywhere in git and, bottom line, that version of "b" 
will not be in the git repository. Ever. Because "a" already has that SHA1 "tied 
up" and it is (theoretically) never released.

I think of the SHA1 value being a unique key into a "write once" database. Once 
you've added some content (a file) into the database, then the SHA1 value of
that content (file) is unmodifiable. Attempts to write another record into the 
database is rejected (in a read DB, you'd get some sort of DUPLICATE KEY 
response). Git considers the "duplicate key" to be just fine because it ASSUMES 
that the SHA1 is unique to the first file (content) which generates it.

Hope I made sense.

John