On Mon, 28 Aug 2006, Johannes Schindelin wrote:Signed tags fundamentally have to be re-signed. That's by design: if somebody could rewrite an archive and signed tags would still be accepted to have the right signature, that would be a _serious_ sign of a totally broken security model. The git security model isn't broken. Indeed. Hybrids would not only do no good, but they would actually _actively_ hurt things, because they'd fundamentally break the notion that the hash being identical means that the object (blob, tree, subtree) is the same. So allowing two names for the same object is very fundamentally wrong in git-speak. Yes. It would be reasonably painful for users, though (as Krzysztof correctly points out). Every client would have to convert when a repository they track is converted. Yeah, I don't think this is at all critical, especially since git really on a security level doesn't _depend_ on the hashes being cryptographically secure. As I explained early on (ie over a year ago, back when the whole design of git was being discussed), the _security_ of git actually depends on not cryptographic hashes, but simply on everybody being able to secure their own _private_ repository. So the only thing git really _requires_ is a hash that is _unique_ for the developer (and there we are talking not of an _attacker_, but a benign participant). That said, the cryptographic security of SHA-1 is obviously a real bonus. So I'd be disappointed if SHA-1 can be broken more easily (and I obviously already argued against using MD5, exactly because generating duplicates of that is fairly easy). But it's not "fundamentally required" in git per se. [ The one exception: the "signed tags" security does depend on the hashes being cryptographically strong. So again, breaking SHA-1 would not mean that git stops working, but it _would_ potentially mean that if you don't trust your own _private_ repository, the signed tag may no longer protect you entirely ] Correct. I'm pretty sure we had exactly this discussion around May 2005, but I'm too lazy to search ;) Linus - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
| Jeremy Fitzhardinge | Re: [RFC 00/15] x86_64: Optimize percpu accesses |
| Vladislav Bolkhovitin | Re: Integration of SCST in the mainstream Linux kernel |
| Mike Galbraith | Re: regression: CD burning (k3b) went broke |
git: | |
| Jarek Poplawski | [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock(). |
| Gerrit Renker | [PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side) |
| Linus Torvalds | Re: [GIT]: Networking |
| Michael Grollman | Re: 8169 Intermittent ifup Failure Issue With RTL8102E Chipset in Intel's New D945... |
