On Wed, Mar 14, 2018 at 6:01 PM, Alan Modra <amodra(a)gmail.com> wrote:
On Wed, Mar 14, 2018 at 04:40:25PM -0700, Andy Lutomirski wrote:
> I realize that the security issue here is barely relevant, but git’s use of SHA1 is
*not* okay, and git is migrating away for a reason.
Hmm, that's news to me. Heh, I've always been a bit suspicious of
git's reliability. ;-)
I'm afraid Andy has listened to a few too many hard-liner security
people - the bad kind that don't know shades of gray, and the kind
that aren't generally worth listening to.
SHA1 with the known attack weakness fixed (aka "Hardened SHA1", the
way git already does) in a non-certificate environment is fine.
The fact is, data identification is different from some kind of
security that depends on the key. I wouldn't use even hardened SHA1
for some security certificate. But for file ID's? Andy is confused.