from the get-git dept.
The open source Git project has just released Git 2.13.0, with features and bugfixes from over 65 contributors. Before we dig into the new features, we have a brief security announcement.
For those running their own Git hosting server, Git 2.13 fixes a vulnerability in the git shell program in which an untrusted Git user can potentially run shell commands on a remote host. This only affects you if you're running a hosting server and have specifically configured git shell. If none of that makes sense to you, you're probably fine. See this announcement for more details. As neither GitHub.com nor GitHub Enterprise uses git shell, both are unaffected.
Phew. With that out of the way, let's get on to the fun stuff.
[...] You may have heard that researchers recently found the first collision in SHA-1, the hash function Git uses to identify objects. Their techniques may eventually be used to conduct collision-based attacks against Git users. Fortunately those same researchers also provided a way to detect content that is trying to exploit this technique to create collisions. In March, GitHub.com began using that implementation to prevent it being used as a potential platform for conducting collision attacks.
Git 2.13 ships with similar changes, and will detect and reject any objects that show signs of being part of a collision attack. The collision-detecting SHA-1 implementation is now the default. The code is included with Git, so there's no need to install any additional dependencies. Note that this implementation is slower than the alternatives, but in practice this has a negligible effect on the overall time of most Git operations (because Git spends only a small portion of its time computing SHA-1 hashes in the first place).
In other collision detection news, efforts have continued to develop a transition plan and to prepare the code base for handling new hash functions, which will eventually allow the use of stronger hash algorithms in Git.
What version of git, if any, are you running?
(Score: 2) by Wootery on Thursday May 11, @03:51PM
What can you do with a hash-collision to turn it into an attack on Git?
A quick google seems to show that SHA-1 collisions aren't that scary for git. [theregister.co.uk]
Reply to This
(Score: 0) by Anonymous Coward on Thursday May 11, @04:04PM (4 children)
"GIT", the overly complex CM system created by hipster dufuses.
Reply to This
(Score: 0) by Anonymous Coward on Thursday May 11, @04:15PM
Hey, fuck you, Git Torvalds is GenX.
Reply to This
Parent
(Score: 2) by ikanreed on Thursday May 11, @04:39PM
You're right, of course, we should all go back to SVN and let every tree conflict be the cause of 1 to 3 suicides.
Reply to This
Parent
(Score: 2) by mth on Thursday May 11, @04:41PM (1 child)
Git is complex, but is it overly complex? I don't know of any other CM system that can handle projects with the number of contributors of the Linux kernel and is significantly easier to use. I've heard people say Mercurial is easier to learn, but it's not all that different from Git in my opinion.
You could argue Git is unnecessarily complex for small-scale projects, which is true if you'd have to learn Git for that purpose. But if you already know Git, it's easier to use that also for simple projects than to learn a second tool.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Thursday May 11, @04:51PM
Git is absolutely fantastic for because now when I want to contribute to an open source project I don't need to diff a patch and mail it to a list where my patch will be summarily ignored. Instead I can open a pull request on Github where my pull request will be summarily ignored. Git makes the completely nonexistent community so much better at ignoring contributors!
Reply to This
Parent
(Score: 0) by Anonymous Coward on Thursday May 11, @04:12PM (1 child)
Linus still has one claim to fame and world domination.
Reply to This
(Score: 2) by mth on Thursday May 11, @04:44PM
Did Netcraft confirm it?
Reply to This
Parent