[yc12340]

> An attacker would merely have to brute force the tip of their attacker repository, a matter which you can do within the hour

So you think, that you can do so in a hour? How much are you willing to bet on that?

For bonus points try to "brute force a tip" for repository, containing actual contents (as opposite to randomly named binary files with gibberish).

[Genbox]

Not sure what you are asking, but it is trivially easy to fake a git short hash to whatever you like.

I cloned this repo: https://github.com/bradfitz/gitbrute

Ran the command in the readme (had to do it twice for some reason) and the latest commit is now 000001 on my fork of the repo: https://github.com/Genbox/gitbrute/commit/0000019075dabc337f...

It took less than 3 minutes for the full thing.

[dfawcus]

My example was using cut'n'paste, then cmp, so the full 40 char hash. I don't try comparing those things manually.

As I said trivial to prove valid; and since I was actually reading, using, and compiling the code, quite difficult to achieve a collision in the circumstances.

[zaarn]

Then just fake the first and last characters, not much of an additional challenge, few people compare all characters, they compare the first and last few. I bet that would have even caught you unaware in some moments.

[zaarn]

Brute Forcing a commit hash requires no gibberish binary files with random names, the data can be inserted into the commit metadata in ways that won't even show up in your git log. Forcing the entire commit hash is hard but by default everyone only checks the first 6 digits anyway.