top | item 37812146

(no title)

There are so many things to dislike about git, but I feel like so much of this post is reaching for cause to be offended.

Sha1 is a hashing function. As a hashing function, it's fine. Why does your identifier need to be cryptographically secure?

I agree with the name and email issues, but laughed at the ideal that a URL is somehow more robust.

Who claims that git is a database?

I agree with the broad strokes, especially having as many conversations as I've had with frustrated people about why their repo is in an unhappy state.

discuss

rileymat2|2 years ago

> Why does your identifier need to be cryptographically secure?

There are many use cases where people are using the hash to guarantee no actor has inserted different code than they expect in a dependency, so the dependency is pinned to a hash. Not being secure, would be catastrophic for some use cases that people are currently using if widespread.

We could make a claim this is a misuse, but this is what people are doing.

fanf2|2 years ago

Git was using SHA1 as a cryptographically secure identifier right from the very first month of its existence. https://github.com/git/git/commit/65f0d0ee4627dd0f0468ceded3...