This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Feature request: improved build-id generation

On Wed, Mar 14, 2018 at 6:01 PM, Alan Modra <amodra@gmail.com> wrote:
> On Wed, Mar 14, 2018 at 04:40:25PM -0700, Andy Lutomirski wrote:
>>
>> I realize that the security issue here is barely relevant, but git’s use of SHA1 is *not* okay, and git is migrating away for a reason.
>
> Hmm, that's news to me.  Heh, I've always been a bit suspicious of
> git's reliability.  ;-)

I'm afraid Andy has listened to a few too many hard-liner security
people - the bad kind that don't know shades of gray, and the kind
that aren't generally worth listening to.

SHA1 with the known attack weakness fixed (aka "Hardened SHA1", the
way git already does) in a non-certificate environment is fine.

The fact is, data identification is different from some kind of
security that depends on the key. I wouldn't use even hardened SHA1
for some security certificate. But for file ID's? Andy is confused.

          Linus
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]