Re: ask github to encourage signed git tags

To: Asheesh Laroia <asheesh@asheesh.org>, debian-devel@lists.debian.org
Subject: Re: ask github to encourage signed git tags
From: Harlan Lieberman-Berg <hlieberman@setec.io>
Date: Fri, 21 Aug 2015 13:30:14 +0200
Message-id: <[🔎] 87bne0x4jd.fsf@setec.io>
In-reply-to: <[🔎] CAMumaCjU-ZkjOjnyKFUoHyjQJSff3MxFAgYkT3VwT5-MgAgtnQ@mail.gmail.com>
References: <[🔎] 1753364.fj7ok5knD4@x121e> <[🔎] CAMumaCjU-ZkjOjnyKFUoHyjQJSff3MxFAgYkT3VwT5-MgAgtnQ@mail.gmail.com>

Asheesh Laroia <asheesh@asheesh.org> writes:
> Yes, I do! I've pinged a friend at GitHub and CC:d the people who have
> participated in this thread so far. Let's see how that conversation goes.

Just as an FYI, signing a git tag produces a slightly weaker security
guarantee than signing a tarball.

Specifically, an attacker who is capable of a second-preimage attack on
SHA-1 can forge git commits which will still verify if signed.  No one
has publically been able to produce even a collision in SHA-1 yet,
though most people suspect it is either already in the capability of
state-level attackers or will be in the next few years.  Second-preimage
is harder than just producing collisions, but it is still something
that's good to be aware of.

Sincerely,

-- 
Harlan Lieberman-Berg
~hlieberman

Reply to:

References:
- ask github to encourage signed git tags
  - From: Thomas Koch <thomas@koch.ro>
- Re: ask github to encourage signed git tags
  - From: Asheesh Laroia <asheesh@asheesh.org>

Prev by Date: Re: ask github to encourage signed git tags
Next by Date: Re: libstdc++ follow-up transitions
Previous by thread: Re: ask github to encourage signed git tags
Next by thread: use signed git tags to verify upstream tarball
Index(es):
- Date
- Thread