On 15 September 2014 10:56, hasufell <hasuf...@gentoo.org> wrote: > According to Robin, it's not about rebasing, it's about signing all > commits so that messing with the blob (even if it has the same sha-1) > will cause signature verification failure. >
Correct me if I'm wrong, but wouldn't a SHA1 attack on the tree object or file blobs be completely invisible to the commit SHA1? As the Signature only signs content of the commit object, not any of the nodes it refers to. Granted, getting a tree/file object to replicate might be interesting. -- Kent *KENTNL* - https://metacpan.org/author/KENTNL
