shirish शिरीष dijo [Wed, Feb 05, 2020 at 05:00:16PM +0000]:
> Dear all,
>
> Please CC me if anybody feels like answering.
>
> I was shared this [1] and while it's important, it is equally
> important to point out that the work isn't complete atm. From what
> little I know, almost all Debian's work is now using git (there may be
> some subversion, some mercurial repos) but most of the work has now
> been using gitlab/salsa [2] . While some of the comments suggest that
> SHA-1 is fine for now one doesn't really know. From what little I can
> make out, it seems a pretty disruptive change and may have gotchas
> also for the reproducible builds project. [3]
Hi Shirish!
There is a very nice article presented in LWN two days ago explaining
more the issue; I will send you a personal mail with a free link to it
(for other people, LWN has the policy of opening their paid content a
week after publication, so please just wait for five more days).
https://lwn.net/Articles/811068/
Git is working towards being able to migrate to SHA256, and future
migrations will probably be easier. As of right now, due to the way
Git uses the hashes, danger is _not_ imminent and we can keep using
it safely; Debian depends on upstream support first being ready before
we introduce said changes; even after we introduce them, we need to
keep older versions supported at least for a stable+oldstable
cycle. So, no, support for SHA1-Git will not be dropped within any
forseeable future :-Þ
Greetings,
