On Tue, Nov 25, 2014 at 10:47 AM, Jeff King p...@peff.net wrote:
Maybe we can fix the tree-sorting order while we are at it. :)
At this speed, there a teeny tiny chance that pack v4 will be ready by
Git v3.0 and we can pile that on top of the new tree format. And we
don't have to worry about
On Tue, Nov 25, 2014 at 08:16:15AM +0700, Duy Nguyen wrote:
On Tue, Nov 25, 2014 at 1:14 AM, Nico Williams n...@cryptonector.com wrote:
Is there a plan for upgrading to a better hash function in the future?
(E.g., should it become an urgent need.)
What are the roadblocks to adoption of a
On Mon, Nov 24, 2014 at 06:44:10PM +0700, Duy Nguyen wrote:
I wonder if we can have an option to sign all blob content of the tree
associated to a commit, and the content of parent commit(s). It's more
expensive than signing just commit/tag content. But it's also safer
without completely
On 22.11.2014 00:01, Patrick Schleizer wrote:
Dear git developers!
Jeff King wrote:
On Sun, Nov 16, 2014 at 03:31:10PM +, Patrick Schleizer wrote:
How safe are signed git tags? Especially because git uses SHA-1. There
is contradictory information around.
So if one verifies a git tag
Jeff King p...@peff.net writes:
On Tue, Nov 25, 2014 at 08:52:58AM +0700, Duy Nguyen wrote:
On Tue, Nov 25, 2014 at 8:23 AM, Jonathan Nieder jrnie...@gmail.com wrote:
I think the biggest obstacle is the upgrade path. ;-)
In the worst case we can always treat new repos as a different VCS.
Duy Nguyen schrieb am 24.11.2014 um 02:23:
On Tue, Nov 18, 2014 at 4:26 AM, Jeff King p...@peff.net wrote:
Yes, it is only as safe as SHA-1 in the sense that you have GPG-signed
only a SHA-1 hash. If somebody can find a collision with a hash you have
signed, they can substitute the colliding
On Mon, Nov 24, 2014 at 5:15 PM, Michael J Gruber
g...@drmicha.warpmail.net wrote:
Duy Nguyen schrieb am 24.11.2014 um 02:23:
On Tue, Nov 18, 2014 at 4:26 AM, Jeff King p...@peff.net wrote:
Yes, it is only as safe as SHA-1 in the sense that you have GPG-signed
only a SHA-1 hash. If somebody
On Mon, Nov 24, 2014 at 11:15:34AM +0100, Michael J Gruber wrote:
I wonder if we can have an option to sign all blob content of the tree
associated to a commit, and the content of parent commit(s). It's more
expensive than signing just commit/tag content. But it's also safer
without
Is there a plan for upgrading to a better hash function in the future?
(E.g., should it become an urgent need.)
What are the roadblocks to adoption of a replacement hash function?
Just documenting this would go a long way towards making it possible
to upgrade some day.
Thanks,
Nico
--
--
To
On Tue, Nov 25, 2014 at 1:14 AM, Nico Williams n...@cryptonector.com wrote:
Is there a plan for upgrading to a better hash function in the future?
(E.g., should it become an urgent need.)
What are the roadblocks to adoption of a replacement hash function?
Just documenting this would go a
Duy Nguyen wrote:
The biggest obstacle is the assumption of SHA-1 everywhere in the
source code (e.g. assume the object name always takes 20 bytes). Brian
started on cleaning that up [1] but I think it's stalled. Then we need
to deal with upgrade path for SHA-1 repos.
I think the biggest
On Tue, Nov 25, 2014 at 8:23 AM, Jonathan Nieder jrnie...@gmail.com wrote:
I think the biggest obstacle is the upgrade path. ;-)
In the worst case we can always treat new repos as a different VCS. So
people will need a migration from SHA-1 to the new format, just like
they migrate from SVN/CVS
That's not *as* painful, because you'd have the beautiful
fast-{import/export} tools in your new and old version control system.
But yeah, there might be better ways to do so.
On Mon, Nov 24, 2014 at 5:52 PM, Duy Nguyen pclo...@gmail.com wrote:
On Tue, Nov 25, 2014 at 8:23 AM, Jonathan Nieder
On Tue, Nov 25, 2014 at 08:52:58AM +0700, Duy Nguyen wrote:
On Tue, Nov 25, 2014 at 8:23 AM, Jonathan Nieder jrnie...@gmail.com wrote:
I think the biggest obstacle is the upgrade path. ;-)
In the worst case we can always treat new repos as a different VCS. So
people will need a migration
Hi, I wanted to chime in on the topic of SHA1 weaknesses and breaks. The
problem is idea that SHA1 breaks are theoretical and will only be
relevant in a decade or two.
I think its a telling sign when even companies like Google [1] and
Microsoft [2] who collaborate with spy agencies are
On Tue, Nov 18, 2014 at 4:26 AM, Jeff King p...@peff.net wrote:
Yes, it is only as safe as SHA-1 in the sense that you have GPG-signed
only a SHA-1 hash. If somebody can find a collision with a hash you have
signed, they can substitute the colliding data for the data you signed.
I wonder if we
On Fri, Nov 21, 2014 at 11:01:26PM +, Patrick Schleizer wrote:
Yes, it is only as safe as SHA-1 in the sense that you have GPG-signed
only a SHA-1 hash. If somebody can find a collision with a hash you have
signed, they can substitute the colliding data for the data you signed.
[..]
On Fri, Nov 21, 2014 at 06:32:46PM -0500, Jason Pyeron wrote:
The whole issue is a lot better than this makes it sound. Yes it is
just a SHA1 hash, but it is a hash of a structured data format.
You have very observable parts of that well structured data providede to the
hash.
Yeah, I
Dear git developers!
Jeff King wrote:
On Sun, Nov 16, 2014 at 03:31:10PM +, Patrick Schleizer wrote:
How safe are signed git tags? Especially because git uses SHA-1. There
is contradictory information around.
So if one verifies a git tag (`git tag -v tagname`), then `checksout`s
the
-Original Message-
From: Patrick Schleizer
Sent: Friday, November 21, 2014 18:01
Dear git developers!
Jeff King wrote:
On Sun, Nov 16, 2014 at 03:31:10PM +, Patrick Schleizer wrote:
How safe are signed git tags? Especially because git uses
SHA-1. There
is
On Sun, Nov 16, 2014 at 03:31:10PM +, Patrick Schleizer wrote:
How safe are signed git tags? Especially because git uses SHA-1. There
is contradictory information around.
So if one verifies a git tag (`git tag -v tagname`), then `checksout`s
the tag, and checks that `git status` reports
21 matches
Mail list logo