Posted Feb 1, 2010 20:41 UTC (Mon) by epa
Parent article: Security in the 20-teens
But that nice assumption only holds true for as long as one assumes that the hash algorithms used to identify commits are not subject to brute-force collisions.
It would be quite a task to generate a hash collision that also compiles as valid C code. And doubly impossible to generate one which is valid C code and inserts the backdoor you want. (This could be easier if you can generate both sides of the collision - so you'd somehow generate an innocuous-looking git tree and an evil one that has the same checksum - but then you'd have to somehow convince Linus to bless your innocuous-looking code absolutely untouched as an official release.)
Of course if a hashing function is shown to have weaknesses, you migrate to a better one. That's just common sense. But I don't think we need be too worried about this particular attack - not when there are far easier ways to insert backdoors.
to post comments)