Re: tag2upload (git-debpush) service architecture - draft
On 7/27/19 8:16 PM, Rebecca N. Palmer wrote:> As a way to avoid relying
on SHA-1, would it work to have git-debpush
> include a longer hash in the tag message, and tag2upload also verify
> that hash?
>
The other idea would be to convince git upstream to use something
better than sha1 - and after a bit of searching, I found
https://github.com/git/git/blob/master/Documentation/technical/hash-function-transition.txt
- Git v2.13.0 and later use a hardened sha-1 implementation by
default, which isn't vulnerable to the SHAttered attack.
Still sha-1, though.
- there is a plan to support sha256.
Googling a bit more found
https://stackoverflow.com/questions/28159071/why-doesnt-git-use-more-modern-sha
which gives some insight on the (plans for) implementation.
So I think the best thing to do is to get sha256 working in git and
force the usage of sha256 if you want to sign a tag for upload.
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Reply to: