[Whonix-devel] [Tails-dev] git (submodule) security

Patrick Schleizer patrick-mailinglists at whonix.org
Mon Nov 3 09:26:02 CET 2014


boyska wrote:> On Sat, Nov 01, 2014 at 08:07:04AM +0000, Patrick
Schleizer wrote:
>> By chance I found https://github.com/boyska/git-verify repo.
>
> hey, that's me :P

That's why I explicitly added you to cc. :)

>> At Whonix we're currently discussing various aspects of git security.
>> Especially since git still uses SHA-1 and if git (submodule)
>> verification is safe against adversaries, that can produce SHA-1
>> collisions.
>
> Seems a really good point, but... can't you just recursively run
> git-verify?

Not sure if required or a solution.

As I understand - using git submodules or not - git verify also is only
a gpg verification of a SHA-1 hash.



More information about the Whonix-devel mailing list