[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tag2upload (git-debpush) service architecture - draft


On 7/27/19 8:16 PM, Rebecca N. Palmer wrote:> As a way to avoid relying
on SHA-1, would it work to have git-debpush
> include a longer hash in the tag message, and tag2upload also verify
> that hash?
>
The other idea would be to convince git upstream to use something
better than sha1 - and after a bit of searching, I found

https://github.com/git/git/blob/master/Documentation/technical/hash-function-transition.txt

- Git v2.13.0 and later use a hardened sha-1 implementation by
default, which isn't vulnerable to the SHAttered attack.
Still sha-1, though.

- there is a plan to support sha256.

Googling a bit more found

https://stackoverflow.com/questions/28159071/why-doesnt-git-use-more-modern-sha

which gives some insight on the (plans for) implementation.


So I think the best thing to do is to get sha256 working in git and
force the usage of sha256 if you want to sign a tag for upload.



-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F
Reply to: