Public
- Public
- Groups
- Popular
- People

Conversation

Notices

Bob Mottram (bob@social.freedombone.net)'s status on Thursday, 23-Feb-2017 19:58:35 UTC Bob Mottram

So it has been known that sha1 is insecure for some time. Now that there are practical collision attacks a possible exploit would be to flip a bit on a git commit and have the hash remain constant, introducing a vulnerability which could then be delivered via foxacid. How often is the linux repo cloned, for example, and how many downstream systems could be infected? (a lot)

A workaround might be to routinely gpg sign git commits, but really git should move to a better hash.

In conversation Thursday, 23-Feb-2017 19:58:35 UTC from social.freedombone.net permalink
- drymer #en proceso de migrar (drymervieja@quitter.se)'s status on Thursday, 23-Feb-2017 20:07:55 UTC drymer #en proceso de migrar
  in reply to
  
  @bob Are signed commits checked automatically? If not, it wouldn't be very useful in this case.
  
  In conversation Thursday, 23-Feb-2017 20:07:55 UTC permalink
- Bob Mottram (bob@social.freedombone.net)'s status on Thursday, 23-Feb-2017 20:12:17 UTC Bob Mottram
  in reply to
  - drymer #en proceso de migrar
  @drymer on github they are. I don't know if they're in gogs yet
  
  In conversation Thursday, 23-Feb-2017 20:12:17 UTC permalink
- drymer #en proceso de migrar (drymervieja@quitter.se)'s status on Thursday, 23-Feb-2017 20:30:43 UTC drymer #en proceso de migrar
  in reply to
  
  @bob Gitea doesn't, it seems.
  
  In conversation Thursday, 23-Feb-2017 20:30:43 UTC permalink

Public

Conversation

Notices

Feeds