Bug#765512: general: distrust old crypto algos and protocols perdefault

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Joey Hess writes ("Bug#765512: general: distrust old crypto algos and protocols perdefault"):
> Instead, it makes sense to adapt workflows that do not trust git hashes,
> which mostly means making signed tags and commits, and checking the
> signatures. This is something Debian could improve in many areas, I'm
> sure.

The whole git content-addressable-object-store model relies utterly on
the hashes.  A signed tag is a (weirdly formatted) GPG-signed text
file (the tag) containing the sha1 hash of a text file (the commit)
containing the sha1 hash of a binary file (the tree object) containing
the sha1 hasshes of the actual files at the top level and of further
binary files (tree objects) containing further sha1 hashes of further
files and further tree objects.  All of these hashes are translated
into their preimiages by looking them up in the object store.

Ian.