Re: git & Debian packaging sprint report

To: debian-devel@lists.debian.org
Subject: Re: git & Debian packaging sprint report
From: Peter Wienemann <fossdev@posteo.de>
Date: Tue, 16 Jul 2019 09:25:01 +0200
Message-id: <[🔎] 6ddeebc6-da8a-f1c9-aba5-00ef750606a3@posteo.de>
In-reply-to: <[🔎] 877e8jf2dz.fsf@hope.eyrie.org>
References: <[🔎] 87bly2nwcf.fsf@iris.silentflame.com> <[🔎] 18ECEC09-EF0B-439E-A329-6739C3572A0C@kitterman.com> <[🔎] 877e8nbuu5.fsf@zephyr.silentflame.com> <[🔎] 87ims3fc0d.fsf@hope.eyrie.org> <[🔎] 87sgr7qgbv.fsf@43-1.org> <[🔎] 87d0ibf5av.fsf@hope.eyrie.org> <[🔎] 878sszc9kr.fsf@43-1.org> <[🔎] 877e8jf2dz.fsf@hope.eyrie.org>

On 15.07.19 22:50, Russ Allbery wrote:
> At some point, Git itself will switch away from SHA-1, and we
> can then obviously follow.

According to [0]:

-----
"Git v2.13.0 and later subsequently moved to a hardened SHA-1
implementation by default, which isn't vulnerable to the SHAttered
attack.

Thus Git has in effect already migrated to a new hash that isn't SHA-1
and doesn't share its vulnerabilities, its new hash function just
happens to produce exactly the same output for all known inputs,
except two PDFs published by the SHAttered researchers, and the new
implementation (written by those researchers) claims to detect future
cryptanalytic collision attacks."
-----

The document also outlines plans for a transition to SHA256. It actually
seems that since git version 2.21.0 the first SHA256 implementations
have entered the git code [1, 2]. Though I have no idea whether using
SHA256 is already production-ready.

Therefore I think that distrust in SHA1 is no reason to discard Sean's
and Ian's debpush proposal.

Peter

[0]
https://github.com/git/git/blob/master/Documentation/technical/hash-function-transition.txt

[1]
https://github.com/git/git/commit/33e4ae9c509e0ecdc6508475f2974d275539616e

[2]
https://github.com/git/git/commit/27dc04c54506967fcaa87b2d560547ee5633040c

Reply to:

References:
- git & Debian packaging sprint report
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: git & Debian packaging sprint report
  - From: Scott Kitterman <debian@kitterman.com>
- Re: git & Debian packaging sprint report
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: git & Debian packaging sprint report
  - From: Russ Allbery <rra@debian.org>
- Re: git & Debian packaging sprint report
  - From: Ansgar Burchardt <ansgar@debian.org>
- Re: git & Debian packaging sprint report
  - From: Russ Allbery <rra@debian.org>
- Re: git & Debian packaging sprint report
  - From: Ansgar Burchardt <ansgar@debian.org>
- Re: git & Debian packaging sprint report
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: git & Debian packaging sprint report
Next by Date: Re: git & Debian packaging sprint report
Previous by thread: Re: git & Debian packaging sprint report
Next by thread: Re: git & Debian packaging sprint report
Index(es):
- Date
- Thread