On Wed, Apr 2, 2025 at 9:38 AM Patrick Steinhardt <ps@xxxxxx> wrote: > > On Tue, Apr 01, 2025 at 03:36:29PM -0500, Justin Tobler wrote: > > diff --git a/Documentation/git-version.adoc b/Documentation/git-version.adoc > > index 80fa7754a6..f06758a7cf 100644 > > --- a/Documentation/git-version.adoc > > +++ b/Documentation/git-version.adoc > > @@ -22,6 +22,9 @@ OPTIONS > > --build-options:: > > Include additional information about how git was built for diagnostic > > purposes. > > ++ > > +Note that the SHA1 options `SHA1_APPLE`, `SHA1_OPENSSL`, and `SHA1_BLK` do not > > +have collision detection. > > I think this note is somewhat funny for an unsuspecting reader. On the > one hand they're going to be puzzled why you're talking about SHA1 in > the first place because it isn't mentioned at all beforehand. And on the > other hand they will wonder what collision detection even is in the > first place. > > So I would either drop this paragraph completely or expand it to give a > bit more context. Yeah, I think it's worth giving more information, like perhaps: "For the libraries used to implement the SHA-1 and SHA-2 algorithms only symbolic information, like `SHA-1: SHA1_APPLE` or `SHA-256: SHA256_NETTLE` is displayed. Note that the SHA1 options `SHA1_APPLE`, `SHA1_OPENSSL`, and `SHA1_BLK` mean that no collision detection algorithm is used, so known SHA-1 attacks might be possible, see https://en.wikipedia.org/wiki/SHA-1.";
