 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
The developers of ubiquitous git software version control system have announced they are now beginning the transition to move away from the SHA-1 hashing algorithm.
This transition will prove to be a challenge, as SHA-1 has been a part of git since Linus Torvalds originally developed the versioning system, back in 2005. Git uses SHA-1-generated hashes to identify revisions and protect code against corruption. Unfortunately, SHA-1’s foundation has been weakened by a series of vulnerabilities that have been found in the codebase, and is considered broken. In fact, one of the primary reasons for transition away from SHA-1 is that the poor state of the hashing algorithm could be used to compromise git repositories.
In other words, this out-of-data cryptographic hashing function can no longer be considered secure. According to the official Git hash function transition document, the insecurity of SHA-1 has been known for some time. The document states, “Over time some flaws in SHA-1 have been discovered by security researchers. On Feb. 23, 2017 the SHAttered attack demonstrated a practical SHA-1 hash collision.”
One would think it’s just a simple means of migrating git to a newer, more secure hashing algorithm. Unfortunately, that is not the case. Why? Git stores a lot of objects. And every time even the slightest change is made to an object, a new SHA-1 hash is created and the object is then stored under a different name. Because this is a versioning control system, that means every one of those objects are saved.
Now, imagine migrating the sum total of every object stored on git to a new hashing algorithm. A single git repository could have thousands of objects. In 2018 there were over 100 million repositories on git. Couple that with the fact that commits also have SHA-1 hashes and the task of migration becomes monumental.
But with other developers (such as those with Mozilla) already having moved from SHA-1, the time for migration is past due.
Git plans on migrating from SHA-1 to SHA-265. This will happen across all repositories and apparently will be done in stages. According to the migration document, “Git v2.13.0 and later subsequently moved to a hardened SHA-1 implementation by default, which isn’t vulnerable to the SHAttered attack.” Of course, that wasn’t enough to ensure the security of objects stored on Git. Hence the migration to the new algorithm.
Some of the transition goals Git has shared include:
At the moment, there is no timeline or deadline for the transition. This plan was originally proposed back in 2017 by git developer, Brian Carlson. Work on this transition has been going on for a while now, and the code is now in alpha stage.
