Re: Security review of tag2upload

To: debian-vote@lists.debian.org
Subject: Re: Security review of tag2upload
From: Marco d'Itri <md@Linux.IT>
Date: Thu, 13 Jun 2024 16:29:56 -0000 (UTC)
Message-id: <[🔎] v4f6q2$jj99$1@posted-at.bofh.it>
References: <[🔎] 87wmmv7xdz.fsf@hope.eyrie.org> <[🔎] 875xudht0x.fsf@kaka.sjd.se>

simon@josefsson.org wrote:

>Can this be substantiated?  Using SHA1CD in Git does not necessarily
>mean someone cannot manually create a Git repository with a colliding
>git commit somewhere in the history that gets accepted by git, and
>allows someone to replace actual file contents.  That may be the case,
>but I haven't seen any detailed analysis answering that.
This is quite a strong assertion, and it is up to you to prove it.
The current consensus among cryptography experts is that SHA-1 is still
resistant to preimage attacks.

-- 
ciao,
Marco

Reply to:

Follow-Ups:
- Re: Security review of tag2upload
  - From: Russ Allbery <rra@debian.org>

References:
- Security review of tag2upload
  - From: Russ Allbery <rra@debian.org>
- Re: Security review of tag2upload
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: [RFC] General Resolution to deploy tag2upload
Next by Date: Re: Security review of tag2upload
Previous by thread: Re: Security review of tag2upload
Next by thread: Re: Security review of tag2upload
Index(es):
- Date
- Thread