On Sun, Mar 31, 2024 at 10:27:05AM +0200, Simon Josefsson wrote: > Gioele Barabucci <gioele@svario.it> writes: > > > But pulling a successful collision attack is not a trivial task. For > > instance, the xz attacker did not have all that was required to carry > > it out (for example they had no direct access to the git > > servers... yet). > > Is that necessary? It seems that if you have push access, you can push > a colliding commit. Does GitLab on Salsa verify (and reject?) colliding > commit ids a'la SHA1-CD? Would the tag2upload git server do that? Was that not what "the second countermeasure" part was? If a first commit has ever been pushed, the second one would not be "visible". G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
Attachment:
signature.asc
Description: PGP signature