[Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
mikegerwitz at gnu.org
Tue Nov 4 04:35:11 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, Nov 03, 2014 at 09:08:53 +0000, Patrick Schleizer wrote:
> Linus Torvalds said: 
>> Git uses SHA-1 not for security
> And goes on.
>> The security parts are elsewhere
> Could you please elaborate on this? Where are the security parts? Can
> you please briefly explain how these work? Where can I read more about this?
This would be a better question for the git mailing list.
Afaik, the only "security" that existed at the time he wrote that would
have been GPG-signed tags (and today, the only additional would be
GPG-signed commits). But I could be mistaken.
> Wikipedia says. 
>> Nonetheless, without second preimage resistance  of SHA-1 signed
> commits and tags would no longer secure the state of the repository as
> they only sign the root of a Merkle tree .
> Which contradicts what Linus Torvalds said. What does that mean for
> security? Which statement is true?
My assumption is that he relies (or relied) upon the integrity of
SHA-1. As I mentioned in the Horror Story, he mentioned that he need
only remember the SHA-1 of the tip of his branch to rest assured that
the copy of a repository is identical to his own. But it'd be worth
asking him or someone on the mailing list.
> If (!) I understand Mike Gerwitz ([...] GNU [...]) 's opinion, his
> opinion is, that for best security each and every commit should be
> signed for best possible git verification security.
> - Verbose reply by Mike Gerwitz to my question. 
Sure, but I don't sign every commit personally in practice. I won't
repeat what I said in  here, though.
>  https://www.whonix.org/forum/index.php/topic,538.msg4278.html#msg4278
Free Software Hacker | GNU Maintainer
FSF Member #5804 | GPG Key ID: 0x8EE30EAB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Whonix-devel