Re: [Tails-dev] git (submodule) security

Delete this message

Reply to this message
Autore: Patrick Schleizer
Data:  
To: The Tails public development discussion list
CC: freepto@autistici.org >> Everything about freepto, Whonix-devel
Oggetto: Re: [Tails-dev] git (submodule) security
boyska wrote:> On Sat, Nov 01, 2014 at 08:07:04AM +0000, Patrick
Schleizer wrote:
>> By chance I found https://github.com/boyska/git-verify repo.
>
> hey, that's me :P


That's why I explicitly added you to cc. :)

>> At Whonix we're currently discussing various aspects of git security.
>> Especially since git still uses SHA-1 and if git (submodule)
>> verification is safe against adversaries, that can produce SHA-1
>> collisions.
>
> Seems a really good point, but... can't you just recursively run
> git-verify?


Not sure if required or a solution.

As I understand - using git submodules or not - git verify also is only
a gpg verification of a SHA-1 hash.