Git is planning to switch to SHA-256 soon. This is all great news, but the best thing is the command to convert an existing repo to the new hash. It reads like a shitpost and gets better with each argument:
git convert-repo --to-hash=sha-256 --frobnicate-blobs --climb-subtrees --liability-waiver=none --use-shovels --carbon-offsets
@00dani I love how the article simply drops that like it is nothing and makes no effort at explaining it.
@brunoph i'm not sure there really is a risk from git using "vulnerable" sha-1 hashes tbh
i mean like. you could potentially forge a malicious commit with the same hash as a good commit, maybe, but how do you get anyone to accept it? if you try to push it upstream and the good commit's already there, they collide and git just keeps the good one it already has
you somehow have to replace the good commit with the bad one after it's been reviewed and accepted into upstream, at which point the good commit is already in the upstream repo and can't be overridden with a same-hashed commit
it doesn't seem like a possible attack vector even if you could produce good and evil commits with the same hash
being able to switch to stronger hashes is good for general peace of mind, i guess, but i'm not sure there's any plausible attacks being prevented that way
@michel_slm I don’t even know what to believe anymore. For all I know, I wanna frobnicate all my blobs now.
@brunoph I think I read it was basically a joke (with the fake git man pages as reference), not the *actual* command that remains to be chosen.
@brunoph okay what do *any* of these arguments mean
are you sure this isn't just a shitpost?
like okay, climb-subtrees sounds like a suitably CS-y thing. frobnicate-blobs sounds absolutely like something a bored programmer would name an argument that they don't have a name for. but use-shovels??? carbon-offsets??
Hey @iconography , as per https://lwn.net/SubscriberLink/811068/cfeb6a67b8dfbe47/ , § "How Git works, simplified", paragraph 3 (beginning "To understand why SHA‑1 matters..."), I see that you are known to the kernel / git dev team - known and feared
@brunoph I think it's something jokey.
It comes from an in-joke where git man pages and old forestry books look pretty indistinguishable.
I don't follow. The guy says that:
> #Torvalds was unconcerned about the possibility of SHA‑1 being broken; as a result, he never designed in the ability to switch to a different hash;
And to prove his point he links to an email by Torvalds (blessed be His name, etc.) where Torvalds (BBHN, etc.) says the *exact opposite*. 🤔
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!