the end times (of git security) are here

joeyh at 2017-02-23T16:29:41Z

"The new result demonstrates a collision in SHA-1. The researchers found two PDF files that have the same hash."

I tried to push the git devs toward having a switch to throw, or a transition plan for this day, but I failed. There has been some slow work being done to that end, so perhaps this will pick up the pace.

You can, however, check the new colliding PDFs into git-annex. Just don't use --backend SHA1 when you do.

Jakukyo Friel, Stephen Michael Kellat, clacke@libranet.de ❌, Ben Sturmfels and 3 others likes this.

Stephen Michael Kellat, Stephen Michael Kellat, clacke@libranet.de ❌, clacke@libranet.de ❌ and 1 others shared this.

Show all 8 replies

It's not a known preimage attack..

joeyh at 2017-02-24T07:16:18Z

clacke@libranet.de ❌ likes this.

Got it.

clacke@libranet.de ❌ at 2017-02-24T07:21:57Z

How does git stack up against bzr in the new dispensation after the SHA1 collision?

Stephen Michael Kellat at 2017-02-25T16:01:31Z

Looks like it just claimed it's first victim:

https://arstechnica.com/security/2017/02/watershed-sha1-collision-just-broke-the-webkit-repository-others-may-follow/

Freemor at 2017-02-25T16:32:30Z