Some may not remember BitKeeper being used to maintain the Linux kernel source code and how a discrepancy was found (22 years ago) between that repo and the CVS repo. This kind of led to git and signed commits that we have today, etc.
Seems this is related to SHA1 being used on gnupg. Will be interesting on how this plays out when SHA1 in gpg is obsoleted. I am not looking forward to that.
Then there is the added complexity of git using SHA1, I do not know if that has been changed yet.
Fun times ahead.
FWIW, I changed my git commit signing to ssh-ed25519 from gnupg about a month ago.
ssh-ed25519 is different from a gnupg ed25519 key, since it doesn't have any of the technical baggage that gnupg has. Even with ed25519, sha1 is still hardcoded into RFC4880, the standard that gnupg implements. Fingerprints are typically 40 characters long since they are hex sha1 hashes. There's RFC9580 that changes this to sha256, but it's still very new and currently being finalized.
But even then, when using ed25519+sha256 to generate a signature, you're still going to do this over a sha1 hash because of the way git works.
Nice write-up. Thanks for sharing.
Some may not remember BitKeeper being used to maintain the Linux kernel source code and how a discrepancy was found (22 years ago) between that repo and the CVS repo. This kind of led to git and signed commits that we have today, etc.
Here's a short write up: https://blog.citp.princeton.edu/2013/10/09/the-linux-backdoo...
Seems this is related to SHA1 being used on gnupg. Will be interesting on how this plays out when SHA1 in gpg is obsoleted. I am not looking forward to that.
Then there is the added complexity of git using SHA1, I do not know if that has been changed yet.
Fun times ahead.
FWIW, I changed my git commit signing to ssh-ed25519 from gnupg about a month ago.
Didn't GPG change its default to ed25519 four years ago?
https://lists.gnupg.org/pipermail/gnupg-announce/2021q2/0004...
ssh-ed25519 is different from a gnupg ed25519 key, since it doesn't have any of the technical baggage that gnupg has. Even with ed25519, sha1 is still hardcoded into RFC4880, the standard that gnupg implements. Fingerprints are typically 40 characters long since they are hex sha1 hashes. There's RFC9580 that changes this to sha256, but it's still very new and currently being finalized.
But even then, when using ed25519+sha256 to generate a signature, you're still going to do this over a sha1 hash because of the way git works.
or... gpg gets obsoleted along with sha1
> since more than 20 years.
a bit sad that "since for time_points, for for time_duration" grammar rule isn't as well known as it should
It's his second language. I think we can cut him some slack.
It's not like that's even a common mistake, in my experience
"since <duration>" is the normal grammar in German and has the semantics of "since subtract(now, <duration>)" as you would expect
German. "seit" for both.
since we are at time constructs, german also uses "wenn" when english uses "if" or "when".
from constructive corrections, we learn our grammatical, semantical mistakes, hence we move forward to better understand each other.