Hacker News new | ask | show | jobs
by kramerger 894 days ago
These are GIT repositories, they have their own cryptographically unique identifiers. No need to send your data to a third-party to get it confirmed.

Maybe I'm missing something, but this whole operation feels like a huge infrastructure paid by Google for something that is not needed.
2 comments
ratorx 894 days ago
> cryptographically unique

Git uses SHA1 which is pretty far from cryptographically secure. It’s unlikely that’s the sole reason for having a separate checksum database though.

link
justinclift 893 days ago
Doing some searching around online, it seems like git introduced sha256 support several years ago.
link
dharmab 893 days ago
Only for some local operations- git protocol still uses SHA-1 for compatibility with old clients, and existing SHA-1 objects in old repositories aren't converted.
link
dharmab 894 days ago
Git history can be rewritten or deleted e.g. by the git rebase command. The mirror's checksum DB is independent and prevents your build from breaking or being altered if a dependency is manipulated or deleted.

As sibling comment notes, Git's hashes are not secure: https://shattered.it

link