Malicilously replacing git objects
Malicilously replacing git objects
Posted Feb 25, 2017 13:10 UTC (Sat) by DigitalBrains (subscriber, #60188)In reply to: Announcing the first SHA1 collision by alexl
Parent article: Announcing the first SHA-1 collision
> It should be noted that git doesn't even verify the sha1 on pull by default.
That article links to Debian bug 813157, where the last message seems to claim the contrary if I read it right:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813157#39
IIUC, SHA-1 checksums for objects aren't even transferred with a pull, let alone that they can be falsified.