Git prefixes blobs with its own data. You're not going to break git with a SHA-1 binary collision. However, svn is very vulnerable to breaking.
On Thu, Feb 23, 2017 at 3:11 PM, J. Hellenthal <jhellent...@dataix.net> wrote: > It's actually pretty serious in Git and the banking markets where there is > high usage of sha1. Considering the wide adoption of Git, this is a pretty > serious issue that will only become worse ten-fold over the years. Visible > abuse will not be near as widely seen as the initial shattering but > escalate over much longer periods. > > Take it serious ? Why wouldn't you !? > > -- > Onward!, > Jason Hellenthal, > Systems & Network Admin, > Mobile: 0x9CA0BD58, > JJH48-ARIN > > On Feb 23, 2017, at 16:40, Ricky Beam <jfb...@gmail.com> wrote: > > > On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore < > patr...@ianai.net> wrote: > > More seriously: The attack (or at least as much as we can glean from the > blog post) cannot find a collision (file with same hash) from an arbitrary > file. The attack creates two files which have the same hash, which is > scary, but not as bad as it could be. > > Exactly. This is just more sky-is-falling nonsense. Of course collisions > exist. They occur in every hash function. It's only marginally noteworthy > when someone finds a collision. It's neat the Google has found a way to > generate a pair of files with the same hash -- at colossal computational > cost! However this in no way invalidates SHA-1 or documents signed by > SHA-1. You still cannot take an existing document, modify it in a > meaningful way, and keep the same hash. > > [Nor can you generate a blob to match an arbitrary hash (which would be > death of all bittorrent)] >
