Git is planning to switch to SHA-256 soon. This is all great news, but the best thing is the command to convert an existing repo to the new hash. It reads like a shitpost and gets better with each argument:
git convert-repo --to-hash=sha-256 --frobnicate-blobs --climb-subtrees --liability-waiver=none --use-shovels --carbon-offsets
Source: https://lwn.net/SubscriberLink/811068/cfeb6a67b8dfbe47/
@00dani I love how the article simply drops that like it is nothing and makes no effort at explaining it.
@brunoph i'm not sure there really is a risk from git using "vulnerable" sha-1 hashes tbh
i mean like. you could potentially forge a malicious commit with the same hash as a good commit, maybe, but how do you get anyone to accept it? if you try to push it upstream and the good commit's already there, they collide and git just keeps the good one it already has
you somehow have to replace the good commit with the bad one after it's been reviewed and accepted into upstream, at which point the good commit is already in the upstream repo and can't be overridden with a same-hashed commit
it doesn't seem like a possible attack vector even if you could produce good and evil commits with the same hash
being able to switch to stronger hashes is good for general peace of mind, i guess, but i'm not sure there's any plausible attacks being prevented that way
@brunoph I still don't get why they are not switching to a multi-hash implementation.
@brunoph Frobnicate blobs holy fucking shit.
@brunoph --to-hash=ssdeep
@brunoph I'm pretty sure that was indeed shitposting by Corbet and not the actual command 😉
@michel_slm I don’t even know what to believe anymore. For all I know, I wanna frobnicate all my blobs now.
@brunoph I think I read it was basically a joke (with the fake git man pages as reference), not the *actual* command that remains to be chosen.
@brunoph okay what do *any* of these arguments mean
are you sure this isn't just a shitpost?
like okay, climb-subtrees sounds like a suitably CS-y thing. frobnicate-blobs sounds absolutely like something a bored programmer would name an argument that they don't have a name for. but use-shovels??? carbon-offsets??
Hey @iconography , as per https://lwn.net/SubscriberLink/811068/cfeb6a67b8dfbe47/ , § "How Git works, simplified", paragraph 3 (beginning "To understand why SHA‑1 matters..."), I see that you are known to the kernel / git dev team - known and feared
@brunoph the command's context in the article makes me think it truly is a shitpost
@brunoph
Wait, I thought LWN was joking with that command...
@brunoph no matter if this command is real. It just sounds good.
@brunoph I think it's something jokey.
It comes from an in-joke where git man pages and old forestry books look pretty indistinguishable.
I don't follow. The guy says that:
> #Torvalds was unconcerned about the possibility of SHA‑1 being broken; as a result, he never designed in the ability to switch to a different hash;
And to prove his point he links to an email by Torvalds (blessed be His name, etc.) where Torvalds (BBHN, etc.) says the *exact opposite*. 🤔
@brunoph wtf how does that make any sense
@brunoph Can I just copy and paste that command and it just works? 😆
@brunoph
frobnicate blobs? 😂
use shovels 🤣
@brunoph
oh wow, it IS a real word! 🤯
@brunoph why - why is the command like that
oh my god