Re: Validating tarballs against git repositories

To: Simon Josefsson <simon@josefsson.org>
Cc: Gioele Barabucci <gioele@svario.it>, debian-devel@lists.debian.org
Subject: Re: Validating tarballs against git repositories
From: Sean Whitton <spwhitton@spwhitton.name>
Date: Sat, 30 Mar 2024 20:20:14 +0800
Message-id: <[🔎] 87frw7zzb5.fsf@melete.silentflame.com>
In-reply-to: <[🔎] 87a5mgufud.fsf@kaka.sjd.se> (Simon Josefsson's message of "Sat, 30 Mar 2024 12:19:38 +0100")
References: <[🔎] 2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net> <[🔎] 87le60um1i.fsf@kaka.sjd.se> <[🔎] 8bbfdd8f-3c79-46cd-b716-d743710bcc22@svario.it> <[🔎] 87a5mgufud.fsf@kaka.sjd.se>

Hello,

On Sat 30 Mar 2024 at 12:19pm +01, Simon Josefsson wrote:

> Relying on signed git tags is not reliable because git is primarily
> SHA1-based which in 2019 cost $45K to do a collission attack for.

We did some analysis on the SHA1 vulnerabilities and determined that
they did not meaningfully affect dgit & tag2upload's design.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Validating tarballs against git repositories
  - From: Simon Josefsson <simon@josefsson.org>

References:
- Validating tarballs against git repositories
  - From: Antonio Russo <aerusso@aerusso.net>
- Re: Validating tarballs against git repositories
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Validating tarballs against git repositories
  - From: Gioele Barabucci <gioele@svario.it>
- Re: Validating tarballs against git repositories
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: Validating tarballs against git repositories
Next by Date: Re: Validating tarballs against git repositories
Previous by thread: Re: Validating tarballs against git repositories
Next by thread: Re: Validating tarballs against git repositories
Index(es):
- Date
- Thread