[CuriousCosmic]

So tldr is "it's in progress".

You can use SHA-256 in production. And you can convert SHA-1 repos into SHA-256 repos.

However:

- SHA-1 repos are not compatible with SHA-256 repos so you can't mix and match the trees (i.e. a SHA-256 fork couldn't upstream their commits to a SHA-1 repo).

- The conversion path from SHA-1 to SHA-256 will break all GPG signatures on the repo.

- There may be breaking changes to the SHA-256 repository implementation in the future however those changes will be guaranteed to come with an upgrade path for any users of the existing SHA-256 implementation.

So it's viable as an option but it's by no means "blessed" like the existing SHA-1 impl is.

[H8crilA]

I would only add that an organic (accidentally created) hash collision in Git will take an extreme amount of time. However, even today you can download the two PDFs from https://shattered.io/, put them both in your Git repository and watch Git crash. Given the construction of SHA-1 (Merkle-Damgard), it is easy to create an unlimited amount of derivative files that also cause a collision, they just have to have the correct prefixes (and then arbitrary but identical suffixes). Or upload only one of such files, but later pretend that it was the other. Authors were even kind enough to create a file tester on that very website :), but note that a determined adversary can recreate the attack and create a different set of prefixes.

SHA-1 really is broken, and therefore standard Git repositories do not offer integrity protection against someone who is determined to do harm and has some resources.

[formerly_proven]

git has been using the hardened variant of SHA-1 for ages, so the shattered.io files haven't had that effect for a long time.

Edit: Since git 2.13, released about a month after SHAttered was published in 2017: https://github.com/git/git/blob/master/Documentation/RelNote...

[fjdhdhdhfhfhf]

A hardened variant which to this day still has not been documented anywhere.

Really disappointing and terrible for interop.

[namibj]

I think IPFS's IPLD facility for integrating git"s blockchain has it documented as part of discussions on how to offer splitting of git objects as they naturally can be gigabytes.

[free_bip]

Additionally, AFAIK, none of the major repo hosting services (GitHub, gitlab, Bitbucket) support sha-256 repos.

[CuriousCosmic]

This is true however that is changing very soon now that SHA-256 is no longer marked experimental.

GitLab has been working on integrating SHA-256 support for a while. According to this comment[1], there's only one major blocker left (which seems to be completed at the time of this comment) before they can start testing SHA256 support on GitLab.org.

1. https://gitlab.com/groups/gitlab-org/-/epics/10981#note_1797...

[panzi]

Thanks!