> Granted, the file that the commit touches would need to be not touched in othe... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		sirclueless on Oct 13, 2021 \| parent \| context \| favorite \| on: SHA-1 'fully and practically broken' by new collis... > Granted, the file that the commit touches would need to be not touched in other commits. That's not how git works. The commit contains the entire tree. You could prepare two separate repositories such that `git checkout deadbeef0001deadbeef` in one checks out the linux kernel and in the other checks out ILOVEYOU.exe.

noway421 on Oct 13, 2021 [–]

You're right. Commit id points to a commit object, that points to a tree object and subsequently to individual blob objects. Then it is sufficiently harder, you need to find a collision between 2 blob objects, both of which are executable and don't look suspicious.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact