boyska wrote:> On Sat, Nov 01, 2014 at 08:07:04AM +0000, Patrick
Schleizer wrote:
>> By chance I found https://github.com/boyska/git-verify repo.
>
> hey, that's me :P
That's why I explicitly added you to cc. :)
>> At Whonix we're currently discussing various aspects of git security.
>> Especially since git still uses SHA-1 and if git (submodule)
>> verification is safe against adversaries, that can produce SHA-1
>> collisions.
>
> Seems a really good point, but... can't you just recursively run
> git-verify?
Not sure if required or a solution.
As I understand - using git submodules or not - git verify also is only
a gpg verification of a SHA-1 hash.
