Re: SHA-256 transition

["Ævar Arnfjörð Bjarmason" <avarab@gmail.com>]

On Mon, Jun 20 2022, Stephen Smith wrote:

> What is the current status of the SHA-1 to SHA-256 transition?   Is the 
> transition far enough along that users should start changing over to the new 
> format?  

Just my 0.02, not the official project line or anything:

I wouldn't recommend that anyone use it for anything serious at the
moment, as far as I can tell the only users (if any) are currently
(some) people work on git itself.

The status of it is, I think it's fair to say, that it /should/ work
100% (or at least 99.99%?) as far as git itself is concerned.

I.e. you can "init" a SHA-256 repository, all our in-repo tooling
etc. will work with it. We run full CI tests with a SHA-256 test suite,
and it's passing.

But the reason I'd still say "no" on the technical/UX side is:

 * The inter-op between SHA-256 and SHA-1 repositories is still
   nonexistent, except for a one-off import. I.e. we don't have any
   graceful way to migrate an existing repository.

 * For new repositories I think you'll probably want to eventually push
   it to one of the online git hosting providers, none of which (as far
   as I'm aware) support SHA-256 repos.

 * Even if not, any local git tooling that's not part of git.git is
   likely to break, often for trivial reasons like expecting SHA-1 sized
   hashes in the output, but if you start using it for your repositories
   and use such tools you're very likely to be the first person to run
   into bugs in those areas.

But more importantly (and note that these views are definitely *not*
shared by some other project members, so take it with a grain of salt):
There just isn't any compelling selling point to migrate to SHA-256 in
the near or foreseeable future for a given individual user of git.

The reason we started the SHA-1 -> $newhash (it wasn't known that it
would be SHA-256 at the time) was in response to https://shattered.io;
Although it had been discussed before, e.g. the thread starting at [1]
in 2012.

We've since migrated our default hash function from SHA-1 to SHA-1DC
(except on vanilla OSX, see [2]). It's a variant SHA-1 that detects the
SHAttered attack implemented by the same researchers. I'm not aware of a
current viable SHA-1 collision against the variant of SHA-1 that we
actually use these days.

But even assuming for the sake of argument that we were using a much
weaker and easier to break hash (say MD4 or MD5) most users still
wouldn't have much or anything to worry about in practice.

Discovering a hash collision is only the first step in attacking a Git
repository. This aspect has been discussed many times on-list, but
e.g. [3] is one such thread.

The above is really *not* meant to poo-poo the whole notion of switching
to a new hash. We're making good progress on it, although I think the
really hard part UX-wise is left (online migration).

Likewise I'd be really surprised if given the progress of that work the
average Git user isn't going to be using not-SHA-1 with Git in 15-20
years, of it's even still around at that time as a relevant VCS.

But should even advanced git users be spending time on migrating their
data at this point?

No, I don't think so given all of the above, and I really think we
should carefully consider all of the trade-offs involved before
recommending that the average user of git migrate over.

1. https://lore.kernel.org/git/CA+EOSBncr=4a4d8n9xS4FNehyebpmX8JiUwCsXD47EQDE+DiUQ@mail.gmail.com/
2. https://lore.kernel.org/git/cover-0.5-00000000000-20220422T094624Z-avarab@gmail.com/
3. https://lore.kernel.org/git/CACBZZX65Kbp8N9X9UtBfJca7U1T0m-VtKZeKM5q9mhyCR7dwGg@mail.gmail.com/