Re: git & Debian packaging sprint report
Hi,
On Mon, 15 Jul 2019 at 17:50, Russ Allbery <rra@debian.org> wrote:
> Ansgar Burchardt <ansgar@debian.org> writes:
> > SHA-1 isn't going to get stronger in the future. The TLS world has
> > already moved on, OpenPGP is still in the slow process to move on,
> > Release/Packages stopped using it[1], there is no reason to continue
> > using it.
>
> Well, the reason to continue using it is that Git uses it and we use Git,
> and it may simplify the workflow.
>
> You're not wrong, of course, but preimage attacks are very hard. MD5 is
> still probably robust against preimage attacks, let alone SHA-1. By all
> means, let's future-proof as much as possible, but I'm not sure worrying
> about SHA-1 preimage resistance is the most important design principle in
> this case. At some point, Git itself will switch away from SHA-1, and we
> can then obviously follow.
>
> That said, there's enough custom logic going on here that it may be easy
> to add something that you describe, in which case, great.
>
> > The client tool could possibly also just create the .dsc and .changes,
> > except for hashes of the compressed files, and the web service just
> > recreate the tarball and compress them.
>
> I think experience with pristine-tar indicates that recreating tarballs is
> unfortunately not trivial.
We in Apertis use git-lfs with a wrapper which emulates pristine-tar.
git-lfs doesn’t attempt to be clever, it just stores blobs outside of
the repo, but integrates with git.
It is currently being packaged for Debian.
[0]: https://pypi.org/project/pristine-lfs/
--
Cheers,
Andrej
Reply to: