Re: [PATCH 0/5] core: update our SHA-1 docs, use sha1collisiondetection on OSX too

[Junio C Hamano <gitster@pobox.com>]

Ævar Arnfjörð Bjarmason  <avarab@gmail.com> writes:

> I wasn't able to find any on-list references to it being intentional,
> but it appears that while we made the sha1collisiondetection variant
> of SHA-1 the default in early 2017 we've never updated the OSX builds
> to do likewise.
>
> I don't know what various git packages for OSX to, but our vanilla OSX
> distribution definitely uses Apple Common Crypto, and won't detect the
> https://shattered.io attack.
>
> This series changes that, and while doing so in 2/5 updates our
> documentation and Makefile interface for the SHA-1 selection. Our
> INSTALL file was still claiming we used OpenSSL's SHA-1 by default.
>
> Then since we'd made sha1collisiondetection the default we hadn't
> changed the code's default fallback to be that, it was still
> block-sha1. Now our fallback behavior is "error" instead, which makes
> it less likely that we'll get some foot-gun like the "OSX not using
> sha1collisiondetection" again.
>
> The 4/5 and 5/5 then remove the PPC_SHA1 implementation. I submitted
> this before as [1], and the range-diff is to that submission (it
> wasn't picked up). I think it makes sense as part of this general
> SHA-1 cleanup.

Thanks for this effort.

I'd like to see somebody with "building Git for distributing to
macOS" background to comment (I am assuming that the mailing list
git-packagers@googlegroups.com is the way to reach them).