On 2022-02-06 16:43:47 -0500, Mike Frysinger wrote: > it requires more than a MITM to be successful. you'd also have to > come up with a sha1 collision which is non-trivial for most people. > not out of the reach of nation states, but we prob aren't the target > market :p.
I don't understand why you would need a sha1 collision, while you don't have a sha1 to compare with: say, the current local status is at a commit common to the real repository and to a fake repository, then the remote repositories diverge: with a "git fetch" only, how can you distinguish the real new commits and the fake new commits? -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)