Btw, this is obviously only true for the native git protocol itself.
If the attacker can fool you into generating the new file _yourself_, he
can cause your checked-out copy to not match the git object database any
more.
In other words, one "interesting" attack vector is to feed you the
colliding SHA1 not through a git-to-git transfer, but by generating a
_patch_ that when applied will generate the collision, so that when you
then commit that patch, you get something else than you expected.
And _this_ is where it's important that the hash that git uses be a
non-trivial one - ie we don't want people to be able to generate two files
that look superficially "ok".
So here's the rule: If you ever get a patch that looks like line-noise,
especially from somebody you don't trust, DON'T APPLY IT!
Now, that is obviously something you should never do _regardless_ of any
git issues, so I don't think this is really a problem either. If you apply
patches from people you don't have a good reason to trust without
sanity-checking them, you deserve whatever you get, and quite frankly, a
SHA1 hash collision is the _least_ of your problems ;)
(This ends up boiling down to one common issue: it's generally _much_
easier to attack a project through _other_ means than through a hash
collision. And I pretty much guarantee that that is the case even if we
were to use a much weaker hash, like MD5. Hash collisions fundamentally
just aren't good attack vectors, and it's a hell of a lot easier to try
to insert bad code by other means)
Linus
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
