> How could any of us have trusted any source code before 2005?! Somehow we did, though...
They used pgp to sign the tar ball, which was a way better idea since you could just use a different hash function for your signature after sha1 has been broken in 2005[1].
Everybody serious about security kept doing that, since signed git commits were just asking for trouble due to the hard dependency on sha1.
They used pgp to sign the tar ball, which was a way better idea since you could just use a different hash function for your signature after sha1 has been broken in 2005[1].
Everybody serious about security kept doing that, since signed git commits were just asking for trouble due to the hard dependency on sha1.
[1]: https://www.schneier.com/blog/archives/2005/02/sha1_broken.h...