recent discussion regarding 'checksums'
matt at mattmccutchen.net
Tue Sep 28 21:04:27 MDT 2010
On Mon, 2010-09-27 at 22:33 -0400, Benjamin R. Haskell wrote:
> But the flip side is that rsync is not a security tool. MD5 is fine for
> rsync for the same reason SHA-1 (which, as with all hashes, will
> eventually be "broken") is fine for git:
This gets a little off topic, but I /do/ want git to use a
collision-resistant hash function. I would like to be able to fetch
from others without giving them a free pass to poison my repository. I
believe that was the original intended semantic of the "fetch"
operation; it's only now eroding as SHA-1 gets studied. But the risk
isn't great enough to goad me into action yet.
More information about the rsync