recent discussion regarding 'checksums'

Matt McCutchen matt at
Tue Sep 28 21:04:27 MDT 2010

On Mon, 2010-09-27 at 22:33 -0400, Benjamin R. Haskell wrote:
> But the flip side is that rsync is not a security tool.  MD5 is fine for 
> rsync for the same reason SHA-1 (which, as with all hashes, will 
> eventually be "broken") is fine for git:

This gets a little off topic, but I /do/ want git to use a
collision-resistant hash function.  I would like to be able to fetch
from others without giving them a free pass to poison my repository.  I
believe that was the original intended semantic of the "fetch"
operation; it's only now eroding as SHA-1 gets studied.  But the risk
isn't great enough to goad me into action yet.


More information about the rsync mailing list