On Wed, Apr 2, 2025 at 1:26 PM Christian Couder <christian.couder@xxxxxxxxx> wrote: > > On Wed, Apr 2, 2025 at 9:38 AM Patrick Steinhardt <ps@xxxxxx> wrote: > > > > On Tue, Apr 01, 2025 at 03:36:29PM -0500, Justin Tobler wrote: > > > diff --git a/Documentation/git-version.adoc b/Documentation/git-version.adoc > > > index 80fa7754a6..f06758a7cf 100644 > > > --- a/Documentation/git-version.adoc > > > +++ b/Documentation/git-version.adoc > > > @@ -22,6 +22,9 @@ OPTIONS > > > --build-options:: > > > Include additional information about how git was built for diagnostic > > > purposes. > > > ++ > > > +Note that the SHA1 options `SHA1_APPLE`, `SHA1_OPENSSL`, and `SHA1_BLK` do not > > > +have collision detection. > > > > I think this note is somewhat funny for an unsuspecting reader. On the > > one hand they're going to be puzzled why you're talking about SHA1 in > > the first place because it isn't mentioned at all beforehand. And on the > > other hand they will wonder what collision detection even is in the > > first place. > > > > So I would either drop this paragraph completely or expand it to give a > > bit more context. > > Yeah, I think it's worth giving more information, like perhaps: > > "For the libraries used to implement the SHA-1 and SHA-2 algorithms s/SHA-2/SHA-256/ > only symbolic information, like `SHA-1: SHA1_APPLE` or `SHA-256: > SHA256_NETTLE` is displayed. Note that the SHA1 options `SHA1_APPLE`, > `SHA1_OPENSSL`, and `SHA1_BLK` mean that no collision detection > algorithm is used, so known SHA-1 attacks might be possible, see > https://en.wikipedia.org/wiki/SHA-1.";
