On Thu, Feb 23, 2017 at 03:18:29PM -0800, bch wrote: [snip] > > Or more correctly, "a *subsequent* file with the same sha1 hash..." If you > happened to commit the Trojan file first, the "good" commit would have been > the one to fail. >
True, but if you pull from untrusted user (or give push access to untrusted user), nothing prevent the trojan file to get in, even without sha1 hash collision. But at least, someone cannot replace a file you already have with a malicious one with the same sha1 hash. -- Martin G. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
