You are here: Home » NewsFeeds » Linus on Git and SHA-1

Linus on Git and SHA-1

I thought I’d write an update on git and SHA1, since the SHA1 collision attack was so prominently in the news. Quick overview first, with more in-depth explanation below:(1) First off – the sky isn’t falling. There’s a big difference between using a cryptographic hash for things like security signing, and using one for generating a “content identifier” for a content-addressable system like git.(2) Secondly, the nature of this particular SHA1 attack means that it’s actually pretty easy to mitigate against, and there’s already been two sets of patches posted for that mitigation.(3) And finally, there’s actually a reasonably straightforward transition to some other hash that won’t break the world – or even old git repositories.Anyway, that’s the high-level overview, you can stop there unless you are interested in some more details (keyword: “some”. If you want more, you should participate in the git mailing list discussions – I’m posting


Original article