Re: Validating tarballs against git repositories

To: debian-devel@lists.debian.org
Subject: Re: Validating tarballs against git repositories
From: Timo Röhling <roehling@debian.org>
Date: Sun, 31 Mar 2024 00:51:38 +0100
Message-id: <[🔎] yupncbyvz5zxdgyiq2chwnieiyqs2rwlxdjppqdletwkh25lyx@lro363fwsdj4>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87a5mgufud.fsf@kaka.sjd.se>
References: <[🔎] 2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net> <[🔎] 87le60um1i.fsf@kaka.sjd.se> <[🔎] 8bbfdd8f-3c79-46cd-b716-d743710bcc22@svario.it> <[🔎] 87a5mgufud.fsf@kaka.sjd.se>

Hi,

* Simon Josefsson <simon@josefsson.org> [2024-03-30 12:19]:

Relying on signed git tags is not reliable because git is primarily
SHA1-based which in 2019 cost $45K to do a collission attack for.

FWIW, Gitlab is working on support for SHA 256 hashing [1], and asof Git 2.42, the SHA 256 repository format has matured enough thatbackwards incompatible breaks are very unlikely [2].



Cheers
Timo

[1]https://about.gitlab.com/blog/2023/08/28/sha256-support-in-gitaly/

[2] https://lore.kernel.org/lkml/xmqqr0nwp8mv.fsf@gitster.g/


--
⢀⣴⠾⠻⢶⣦⠀   ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁   │ Timo Röhling                                       │
⢿⡄⠘⠷⠚⠋⠀   │ 9B03 EBB9 8300 DF97 C2B1  23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀   ╰────────────────────────────────────────────────────╯

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Validating tarballs against git repositories
  - From: Antonio Russo <aerusso@aerusso.net>
- Re: Validating tarballs against git repositories
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Validating tarballs against git repositories
  - From: Gioele Barabucci <gioele@svario.it>
- Re: Validating tarballs against git repositories
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: xz backdoor
Next by Date: Re: xz backdoor
Previous by thread: Re: Git and SHA1 collisions
Next by thread: Re: Validating tarballs against git repositories
Index(es):
- Date
- Thread