Have hash collisions in Git ever been a problem for you?
What is the exact scenario in which a hash collision would be dangerous? (Like, you give some random person push access to your repository and... I'm really getting lost here... they override some commit with a different commit with the same hash? And that's somehow worse than them just creating a new commit with a different hash, which you would notice for sure? And the only reason you won't notice their Evil Change is because they sneaked it in inside a hash collision?)
We don't know how to push bad artifacts into a Merkle tree by exploiting SHA-1's weaknesses. The thing is, though, we didn't want to be pushed into scrambling for a better hash algorithm after some clever bastard works that trick out. :)
It appears that git currently has experimental, non-backward-compatible support for sha256, so I'd guess "as soon as they finish fixing any issues and figure out a nice upgrade path", with the caveat that there's little pressure because it's not actually a practical problem yet and isn't expected to be one in the foreseeable future.
tasuki|3 years ago
What is the exact scenario in which a hash collision would be dangerous? (Like, you give some random person push access to your repository and... I'm really getting lost here... they override some commit with a different commit with the same hash? And that's somehow worse than them just creating a new commit with a different hash, which you would notice for sure? And the only reason you won't notice their Evil Change is because they sneaked it in inside a hash collision?)
wyoung2|3 years ago
yjftsjthsd-h|3 years ago
wyoung2|3 years ago