Hi, * Simon Josefsson <simon@josefsson.org> [2024-03-30 12:19]:
FWIW, Gitlab is working on support for SHA 256 hashing [1], and as of Git 2.42, the SHA 256 repository format has matured enough that backwards incompatible breaks are very unlikely [2].Relying on signed git tags is not reliable because git is primarily SHA1-based which in 2019 cost $45K to do a collission attack for.
Cheers Timo[1] https://about.gitlab.com/blog/2023/08/28/sha256-support-in-gitaly/
[2] https://lore.kernel.org/lkml/xmqqr0nwp8mv.fsf@gitster.g/ -- ⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮ ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ ⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
Attachment:
signature.asc
Description: PGP signature