[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .gitmodules security

From: Vincent Lefevre
Subject: Re: .gitmodules security
Date: Mon, 7 Feb 2022 00:19:36 +0100
User-agent: Mutt/2.1.5+134 (92686e5d) vl-138565 (2022-02-02)

On 2022-02-06 16:43:47 -0500, Mike Frysinger wrote:
> it requires more than a MITM to be successful. you'd also have to
> come up with a sha1 collision which is non-trivial for most people.
> not out of the reach of nation states, but we prob aren't the target
> market :p.

I don't understand why you would need a sha1 collision, while you
don't have a sha1 to compare with: say, the current local status is
at a commit common to the real repository and to a fake repository,
then the remote repositories diverge: with a "git fetch" only, how
can you distinguish the real new commits and the fake new commits?

Vincent Lefèvre <> - Web: <>
100% accessible validated (X)HTML - Blog: <>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]