Ulrich Mueller: >>>>>> On Sat, 20 Sep 2014, hasufell wrote: > >>> Have these plans been abandoned, and are we now planning to >>> distribute the tree to users via Git, where everything goes through >>> the bottleneck of a SHA-1 sum, which was never intended as a >>> security feature? > >> This is a bug in git. Do you want us to wait until it is resolved? > > Not a bug. There are VCSs (like Subversion or Bazaar) that use simple > revision numbers to identify their commits. Git happens to use a hash, > which is perfectly fine as long as accidental collisions are unlikely. > Neither has to do anything with security, though. >
Because there are other VCSs it is not a bug?? Of course it is a bug since it is in the gpg-signing chain and to use it in a practical way is very unlikely. So you are suggesting to not migrate at all or severely break the workflow because someone might forge _working code_ with a specific SHA1? There is no efficient algorithm for that afaik, those are just about finding _any_ collision and even then it takes considerable resources that can be used to break gentoo in much easier ways. If you argue there might be someone who already found out more efficient algorithms (and didn't publish them), then I hope you don't really believe that using SHA256 will protect us from him.
