On Sat, Jun 18, 2016 at 03:10:27AM +0100, Leo Gaspard wrote: > First, sorry for not having this message threaded: I'm not subscribed to > the list and haven't found a way to get a Message-Id from gmane. Sorry it's taken so long to get back to this. I've been at a conference. > So, my questions to the git team: > * Is there a consensus, that git should migrate away from SHA-1 before > it gets a collision attack, because it would mean chosen-prefix > collision isn't far away and people wouldn't have the time to upgrade? I plan on adding support for a new hash as soon as that's possible, but I don't have a firm timeline. This is a volunteer effort in my own limited free time. > * Is there a consensus, that Peter Anvin's amended transition plan is > the way to go? I'm not planning on changing algorithms in the middle of a repository. This will only be available on new or imported repositories. My current thinking on proposed algorithms is SHA3-256 or BLAKE2b-256. The cryptanalysis on SHA-256 indicates that it may not be a great long-term choice, and I expect people won't want to change algorithms frequently. If time becomes extremely urgent, we can always add support for a 160-bit hash first (e.g. BLAKE2b-160) and then finish the object_id transition later as it becomes convenient. I'd like to avoid that, though. > * If the two conditions above are fulfilled, has work started on it > yet? (I guess as Brian Carlson had started his work 9 weeks ago and he > was speaking about working on it on the week-end he should have finished > it now, so excluding this) It takes a long time to get a patch series through. I'm rather busy and don't always have time to rebase and address issues during the week. > * If the two first conditions are fulfilled, is there anything I could > do to help this transition? (including helping Brian if his work hasn't > actually ended yet) You're welcome to send patches if you like. I try to avoid areas I know are under heavy development, like the refs code. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204