On 11/04/2015 05:33 PM, Chí-Thanh Christopher Nguyễn wrote: > hasufell schrieb: >> On 11/04/2015 09:56 AM, Andrew Savchenko wrote: >>> No, it is not. The whole git tree is insecure and no better than >>> rsync or CVS in terms of data security because SHA1 is vulnerable. >>> >> Another one who is confusing _any_ collision with _preimage attack_ ;) > > While Andrew's view is very pessimistic here, yours is decidedly > optimistic. > > There is no known computationally feasible preimage attack against MD5, > still that hash function is broken in serious ways with attacks already > having real-world consequences. > > It would be quite naïve to assume that SHA1 will remain secure until a > preimage attack is found. >
I didn't. Numerous crypto-analysts have already expressed that SHA-1 is not future-proof. However, saying "it is vulnerable" is simply exaggeration and suggests people should do the math before posting such things. We already had that discussion before the git migration and it is quite pointless. If you want to improve the situation, go talk to git upstream and send patches.
