[revelation]

By breaking SHA1, obviously.

[wongarsu]

By breaking SHA1 you could covertly edit older commits, but existing contributors would still have the original version. As soon as somebody edits code at the intrusion it would be discovered because it would merge cleanly locally but cause a merge conflict on github.

Of course on big projects a lot of the code isn't touched in years but we're talking about revealing that somebody broke SHA1. It sounds very risky given the stakes.

[erdeszt]

Commit hashes are not a security feature but you can sign your commits with gpg.

[wongarsu]

Some projects sign their release commits and tags, some even their merge commits, but I have never seen a project which actually signs every commit.

The reasoning is always that you are actually signing the whole commit chain because your commit is liked to every previous one by the commit hashes.

[erdeszt]

True but I was just mentioning the possibility not the best practices for using it.

[jasonmp85]

And if people actually signed their commits and tags?