Matt McCutchen <m...@mattmccutchen.net> wrote:
> No.  If the attacker MITMs the entire connection, they can lie about the
> values of the remote refs too, so there is no need to find a hash
> collision.

And how would you then be allowed to push? The git server would see that
your history doesn't match the history it has and will refuse the
commits. If they MITM your SSH push connection, I believe you have
bigger fish to fry.

--Ben

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Reply via email to