|
|
|
|
|
|
by PurelyApplied
979 days ago
|
|
|
There are so many things to dislike about git, but I feel like so much of this post is reaching for cause to be offended. Sha1 is a hashing function. As a hashing function, it's fine. Why does your identifier need to be cryptographically secure? I agree with the name and email issues, but laughed at the ideal that a URL is somehow more robust. Who claims that git is a database? I agree with the broad strokes, especially having as many conversations as I've had with frustrated people about why their repo is in an unhappy state. |
|
|
There are many use cases where people are using the hash to guarantee no actor has inserted different code than they expect in a dependency, so the dependency is pinned to a hash. Not being secure, would be catastrophic for some use cases that people are currently using if widespread.
We could make a claim this is a misuse, but this is what people are doing.