Announcement

Collapse
No announcement yet.

Git 2.29 Released With Experimental Support For Using More Secure SHA-256

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Git 2.29 Released With Experimental Support For Using More Secure SHA-256

    Phoronix: Git 2.29 Released With Experimental Support For Using More Secure SHA-256

    Git 2.29 is now available with experimental support for using SHA-256 to increase security of code repositories over the possibility of intentional SHA-1 collisions with the current indices...

    http://www.phoronix.com/scan.php?pag...9-With-SHA-256

  • #2
    Is this a typo? This doesn't make much sense to me:

    When using the SHA-256 object format, pack checksums, index checksums, and object IDs are all generated using SHA-1 while this new format is changing it out completely for SHA-256.

    Comment


    • #3
      Originally posted by Calinou View Post
      Is this a typo? This doesn't make much sense to me:
      That dreaded Sha collision again!

      Comment


      • #4
        SHA-2? What about SHA-3 (Keccak) or BLAKE3?

        Comment


        • #5
          Originally posted by uid313 View Post
          SHA-2? What about SHA-3 (Keccak) or BLAKE3?
          See https://github.com/git/git/blob/mast....txt#L603-L634

          Comment


          • #6
            It didn't really mention why not more modern hashes were used. I mean, one could argue they are not wide-spread enough. But it should be easy to simply copy&paste a C implementation to the repo as fallback. Nevertheless, sha256 is a solid choice, today. Maybe it will be easier to migrate to a better solution in 10 years.







            Comment


            • #7
              in b4 "why would anyone choose Git over Mercurial/SVN/etc.?" and "is Git easier to use now?"

              Comment


              • #8
                Originally posted by uid313 View Post
                SHA-2? What about SHA-3 (Keccak) or BLAKE3?
                OK, but why? Becauze 3 bigger then 2?

                As developers we should keep in mind that SHA-3 does not deprecate SHA-2. I always consider using SHA-3 where I needed HMAC with SHA-2 before, but other than that, why? (I'm not a cryptographer so I'm well receptive of actual knowledgeable arguments on this)

                Comment


                • #9
                  Originally posted by oleid View Post

                  It didn't really mention why not more modern hashes were used. I mean, one could argue they are not wide-spread enough. But it should be easy to simply copy&paste a C implementation to the repo as fallback. Nevertheless, sha256 is a solid choice, today. Maybe it will be easier to migrate to a better solution in 10 years.
                  One thing that really makes me feel uneasy about their choice is, SHA-2's structure is very much like SHA-1.
                  Consider the current transition progress, it is very possible that another major weakness would be found within a few years of finishing SHA-2 transition.

                  Comment


                  • #10
                    Originally posted by jntesteves View Post

                    OK, but why? Becauze 3 bigger then 2?

                    As developers we should keep in mind that SHA-3 does not deprecate SHA-2. I always consider using SHA-3 where I needed HMAC with SHA-2 before, but other than that, why? (I'm not a cryptographer so I'm well receptive of actual knowledgeable arguments on this)
                    Yeah, pretty much that, because 3 is bigger than 2.
                    I don't know much about cryptography either.

                    Comment

                    Working...
                    X