From: Junio C Hamano <gitster@pobox.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: Okhuomon Ajayi <okhuomonajayi54@gmail.com>, git@vger.kernel.org
Subject: Re: [PATCH] [PATCH] [Outreachy] builtin/patch-id.c: clarify SHA1 usage for patch IDs
Date: Tue, 14 Oct 2025 15:29:34 -0700 [thread overview]
Message-ID: <xmqqjz0xw20h.fsf@gitster.g> (raw)
In-Reply-To: <aO6-LBqhW87GWD-5@fruit.crustytoothpaste.net> (brian m. carlson's message of "Tue, 14 Oct 2025 21:18:36 +0000")
"brian m. carlson" <sandals@crustytoothpaste.net> writes:
>> if (!the_hash_algo)
>> - repo_set_hash_algo(the_repository, GIT_HASH_DEFAULT);
>> + repo_set_hash_algo(the_repository, GIT_HASH_SHA1);
>
> Hmmm. If I run git patch-id in a SHA-256 repository, then I get a
> SHA-256 output here and it's worked this way since Git 2.29.
>
> I know the comment says what it says, but I personally disagree with
> this approach. There will be a point in time where SHA-1 is so weak as
> to be useless and people will want to build a Git version without it.
> For instance, many government agencies around the world have a 2030
> deadline for completely stopping all use of SHA-1. If we continue to
> use SHA-1 here, then this will have to change anyway in a few years, so
> we'd be better off keeping the default algorithm for now and adding an
> option to control which hash is used.
I do not quite agree with that, as SHA-1 in patch-id is merely used
as "a hash function with good distribution that we happened to have
handy access to" without any security requirement. Being able to
compare patch IDs computed long ago stored somewhere with patch ID
on a patch that claims to be freshly written and find them the same
to say "you know, somebody wrote exactly the same patch 7 years ago"
would be valuable, and we do not want to lose it even when you
happen to store your payload in a SHA-256 repository.
next prev parent reply other threads:[~2025-10-14 22:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-13 17:46 [PATCH] [PATCH] [Outreachy] builtin/patch-id.c: clarify SHA1 usage for patch IDs Okhuomon Ajayi
2025-10-14 3:00 ` Junio C Hamano
2025-10-14 8:04 ` Okhuomon Ajayi
2025-10-14 21:18 ` brian m. carlson
2025-10-14 22:29 ` Junio C Hamano [this message]
2025-10-14 22:49 ` brian m. carlson
2025-10-14 23:27 ` Okhuomon Ajayi
2025-10-15 13:37 ` Junio C Hamano
2025-10-15 13:59 ` Kristoffer Haugsbakk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqjz0xw20h.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=okhuomonajayi54@gmail.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).