Gioele Barabucci <gio...@svario.it> writes: > But pulling a successful collision attack is not a trivial task. For > instance, the xz attacker did not have all that was required to carry > it out (for example they had no direct access to the git > servers... yet).
Is that necessary? It seems that if you have push access, you can push a colliding commit. Does GitLab on Salsa verify (and reject?) colliding commit ids a'la SHA1-CD? Would the tag2upload git server do that? /Simon
signature.asc
Description: PGP signature