Linus Torvalds on SHA-1 and Git: 'The sky isn't falling'

Yes, SHA-1 has been cracked, but that doesn't mean your code in Git repositories is in any real danger of being hacked.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The real worry about Google showing SHA-1 encryption is crackable, as pointed out by Peter Gutmann, a cryptography expert at the at the University of Auckland, New Zealand, is "with long-term document signing and certificates". But, what about the distributed version control system Git code repositories? Linus Torvalds, Linux and Git's inventor, doesn't see any real security headaches ahead for you.

Git Logo

SHA-1 may be vulnerable to attack but your Git-based source code is still safe for all practical purposes.

Torvalds and other Linux kernel developers created Git in 2005 as Linux's distributed version control system. It's also used by multiple major companies including Facebook, Google, and Twitter, to manage their code-bases. Git is also used in GitHub, the world's most popular source code-management site. Even Microsoft uses GitHub. Indeed, Microsoft has more open-source developers than any other company on GitHub.

In short, Git is arguably the most important code version control system of all. If the system was fundamentally vulnerable to hacking this would be bad news.

Torvalds doesn't think that Git is susceptible to such attacks. As he explained in his Google+ account:

(1) First off -- the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a "content identifier" for a content-addressable system like git.

(2) Secondly, the nature of this particular SHA1 attack means that it's actually pretty easy to mitigate against, and there's already been two sets of patches posted for that mitigation.

(3) And finally, there's actually a reasonably straightforward transition to some other hash that won't break the world -- or even old git repositories.

Still worried? Don't be.

Torvalds continued, "You use git for source control like in the kernel, the stuff you really care about is source code, which is very much a transparent medium. If somebody inserts random odd generated crud in the middle of your source code, you will absolutely notice ... So fundamentally, if the data you primarily care about is that kind of transparent source code, the attack is pretty limited to begin with. You'll see the attack. It's not silently switching your data under from you."

In a note to the Git developer mailing list, Torvalds sums up the problem of SHA-1 and Git as simply two questions: "Do we want to migrate to another hash? Yes. Is it 'game over' for SHA1 like people want to say? Probably not."

Eventually, Torvalds says Git will move from SHA-1. But, "it doesn't look all that nasty, and you don't even have to convert your repository. There's a lot of details to this, and it will take time, but because of the issues above, it's not like this is a critical 'it has to happen now security thing'."

Related Stories:

Editorial standards