On 21 September 2014 09:01, hasufell <hasuf...@gentoo.org> wrote: > Because there are other VCSs it is not a bug?? > > No, it just means "using SHA1 for making a repository work" is not a bug, just like using "i am number 6, parent is number 5" is not a "security" bug.
> Of course it is a bug since it is in the gpg-signing chain and to use it > in a practical way is very unlikely. > > Its only a bug in that we're intending to use it for something it was not designed for. SHA1s are not a security mechanism for Git. GPGs are not entirely useless there, just we're taking more meaning from it than it really supports. I literally read GPG as being no more evidence than proof that, "yes, I wrote that commit message, and I wrote that commit". It doesn't prove you made any of those dependencies ( because some of those dependencies is gits entire history of commits down the parent -> parent -> parent line ) > So you are suggesting to not migrate at all or severely break the > workflow because someone might forge _working code_ with a specific > SHA1? There is no efficient algorithm for that afaik, those are just > about finding _any_ collision and even then it takes considerable > resources that can be used to break gentoo in much easier ways. > He is proposing quite the opposite. He's saying "git is not secure in this way, but lets not let that stop us, migrate and fix that after the fact or we'll never get around to it, because all this debate is the perfect being the enemy of the good". Git is still more than adequately secure without GPG to defend against a whole bunch of attacks you'd need NSA grade stuff to attack as it is, and GPG on the commits themselves basically rules out the easiest place somebody *could* get things in without a GPG. That is to say: without gpg, you can just create some random commit with some arbitrary content and push it somewhere, and you can pretend you're a gentoo dev and pretend you're writing commits as them. GPG sufficiently prevents that from happening, and takes it from ameteur grade imposter requirements to NSA grade imposter requirements. And that's not a bad compromise for being imperfect. -- Kent *KENTNL* - https://metacpan.org/author/KENTNL
