si...@josefsson.org wrote: >Can this be substantiated? Using SHA1CD in Git does not necessarily >mean someone cannot manually create a Git repository with a colliding >git commit somewhere in the history that gets accepted by git, and >allows someone to replace actual file contents. That may be the case, >but I haven't seen any detailed analysis answering that. This is quite a strong assertion, and it is up to you to prove it. The current consensus among cryptography experts is that SHA-1 is still resistant to preimage attacks.
-- ciao, Marco