On Wed, Mar 14, 2018 at 6:01 PM, Alan Modra amodra@gmail.com wrote:
On Wed, Mar 14, 2018 at 04:40:25PM -0700, Andy Lutomirski wrote:
I realize that the security issue here is barely relevant, but git’s use of SHA1 is *not* okay, and git is migrating away for a reason.
Hmm, that's news to me. Heh, I've always been a bit suspicious of git's reliability. ;-)
I'm afraid Andy has listened to a few too many hard-liner security people - the bad kind that don't know shades of gray, and the kind that aren't generally worth listening to.
SHA1 with the known attack weakness fixed (aka "Hardened SHA1", the way git already does) in a non-certificate environment is fine.
The fact is, data identification is different from some kind of security that depends on the key. I wouldn't use even hardened SHA1 for some security certificate. But for file ID's? Andy is confused.
Linus
On Wed, Mar 14, 2018 at 6:46 PM, Linus Torvalds torvalds@linux-foundation.org wrote:
SHA1 with the known attack weakness fixed (aka "Hardened SHA1", the way git already does) in a non-certificate environment is fine.
.. don't get me wrong, git will migrate away, but the whole "it's not fine" stuff is just fear-mongering garbage.
Linus
kernel@lists.fedoraproject.org