[Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?

• Previous message: [Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
• Next message: [Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Nov 03, 2014 at 09:08:53 +0000, Patrick Schleizer wrote:
> Linus Torvalds said: [1]
>
>> Git uses SHA-1 not for security
>
> And goes on.
>
>> The security parts are elsewhere
>
> Could you please elaborate on this? Where are the security parts? Can
> you please briefly explain how these work? Where can I read more about this?

This would be a better question for the git mailing list.

Afaik, the only "security" that existed at the time he wrote that would
have been GPG-signed tags (and today, the only additional would be
GPG-signed commits).  But I could be mistaken.

> Wikipedia says. [2]
>
>> Nonetheless, without second preimage resistance [3] of SHA-1 signed
> commits and tags would no longer secure the state of the repository as
> they only sign the root of a Merkle tree [4].

Correct.

> Which contradicts what Linus Torvalds said. What does that mean for
> security? Which statement is true?

My assumption is that he relies (or relied) upon the integrity of
SHA-1.  As I mentioned in the Horror Story, he mentioned that he need
only remember the SHA-1 of the tip of his branch to rest assured that
the copy of a repository is identical to his own.[0]  But it'd be worth
asking him or someone on the mailing list.

> If (!) I understand Mike Gerwitz ([...] GNU [...]) 's opinion, his
> opinion is, that for best security each and every commit should be
> signed for best possible git verification security.
> [...]
> - Verbose reply by Mike Gerwitz to my question. [8]

Sure, but I don't sign every commit personally in practice.  I won't
repeat what I said in [8] here, though.

[0] http://mikegerwitz.com/papers/git-horror-story
> [8] https://www.whonix.org/forum/index.php/topic,538.msg4278.html#msg4278

- -- 
Mike Gerwitz
Free Software Hacker | GNU Maintainer
http://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJUWElwAAoJEPIruBWO4w6rWRUP+wf+682zVuurUuBujnLcupwF
WH/pkwX19+B6mXf2ZFEavrid/m0SszpGcZsjgi8CSsmS44W3OawcF3WMaXf8It6A
oSsSOvk7lfC9cezLtVqkmR2g5dWoFAVkbK8JHIeizqLgkQQ7Q93yg4EfL9hqx79b
AeO57SUWHyVN8CEqS37e1SXzenkLm/FujMNbn9NajzjgCdD7xsp6iZwos8684abf
hqo4HWHyKbHUQbnIe9cqP+3yIDm/pWpP57UvFng7rzleHcIMrqKAn5OYg1fVjQ3i
GAbsfoeNmDfjgtCYdrdTiEv2wAMu399hHTTaBr3sMpo1P9Yq4NP2K2DapYJJZWiF
d3gagUvzCKBQVmu5FH9nV84UrF7j77E0rThB1Ae8s+hov3KfBSWn7qkZeEGIXXyq
vFXKOdT09moTGlx87Sp/L65CB+42B7NbSzz3Z05hhUQFxRni7ZOESr8ax3td9DrG
vPrCLD4QHorhrD9ZISafaZWFiGSs7opYSa5VwO5QkijxpvCy+9bJu2ArrBF1H3xb
8c8uQI2buhO84Md0bAeKY6qUaaChRcRNGBoNwpteieWmtE202uUBwpvA99oBLM0N
cifU1GVZ3r5px64Wq8mr/EbSrCnc2tmYEuUzByg/wwPqTpgND7M9LAndmjW4cG3+
N/rgLa389561dRmiPOQK
=7/lr
-----END PGP SIGNATURE-----

• Previous message: [Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
• Next message: [Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]