Announcement

**Calinou** · 19 October 2020, 03:17 PM

Is this a typo? This doesn't make much sense to me:

When using the SHA-256 object format, pack checksums, index checksums, and object IDs are all generated using SHA-1 while this new format is changing it out completely for SHA-256.

**discordian** · 19 October 2020, 04:29 PM

Originally posted by Calinou View Post

Is this a typo? This doesn't make much sense to me:

That dreaded Sha collision again!

**uid313** · 19 October 2020, 04:34 PM

SHA-2? What about SHA-3 (Keccak) or BLAKE3?

**adler187** · 19 October 2020, 06:33 PM

Originally posted by uid313 View Post

SHA-2? What about SHA-3 (Keccak) or BLAKE3?

See https://github.com/git/git/blob/mast....txt#L603-L634

**oleid** · 20 October 2020, 01:21 AM

Originally posted by adler187 View Post

See https://github.com/git/git/blob/mast....txt#L603-L634

It didn't really mention why not more modern hashes were used. I mean, one could argue they are not wide-spread enough. But it should be easy to simply copy&paste a C implementation to the repo as fallback. Nevertheless, sha256 is a solid choice, today. Maybe it will be easier to migrate to a better solution in 10 years.

**Vistaus** · 20 October 2020, 11:26 AM

in b4 "why would anyone choose Git over Mercurial/SVN/etc.?" and "is Git easier to use now?"

**jntesteves** · 20 October 2020, 12:16 PM

Originally posted by uid313 View Post

SHA-2? What about SHA-3 (Keccak) or BLAKE3?

OK, but why? Becauze 3 bigger then 2?

As developers we should keep in mind that SHA-3 does not deprecate SHA-2. I always consider using SHA-3 where I needed HMAC with SHA-2 before, but other than that, why? (I'm not a cryptographer so I'm well receptive of actual knowledgeable arguments on this)

**zxy_thf** · 20 October 2020, 01:51 PM

Originally posted by oleid View Post

It didn't really mention why not more modern hashes were used. I mean, one could argue they are not wide-spread enough. But it should be easy to simply copy&paste a C implementation to the repo as fallback. Nevertheless, sha256 is a solid choice, today. Maybe it will be easier to migrate to a better solution in 10 years.

One thing that really makes me feel uneasy about their choice is, SHA-2's structure is very much like SHA-1.
Consider the current transition progress, it is very possible that another major weakness would be found within a few years of finishing SHA-2 transition.

**uid313** · 20 October 2020, 04:12 PM

Originally posted by jntesteves View Post

OK, but why? Becauze 3 bigger then 2?

As developers we should keep in mind that SHA-3 does not deprecate SHA-2. I always consider using SHA-3 where I needed HMAC with SHA-2 before, but other than that, why? (I'm not a cryptographer so I'm well receptive of actual knowledgeable arguments on this)

Yeah, pretty much that, because 3 is bigger than 2.
I don't know much about cryptography either.

Announcement

Git 2.29 Released With Experimental Support For Using More Secure SHA-256

Git 2.29 Released With Experimental Support For Using More Secure SHA-256

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment