Author: Roy Badami 2013-04-01 22:51:07
Published on: 2013-04-01T22:51:07+00:00
The discussion revolves around the possibility of a SHA1 collision attack, which creates two messages with the same hash, being used to insert a malicious pull request on Github. However, it is pointed out that this type of attack is not the same as a second preimage attack, which would allow someone to create a message that hashes to the same value as an existing one. It is also stated that social engineering is more likely to be used to get malicious code into the repo. The numbers are run to determine the feasibility of such an attack, and it is noted that with source code, there is a longer time to prepare than with the blockchain's 10-minute window. The conversation then turns to whether someone could replace a file on Github with one they had prepared at some point. While there is concern about this, it is generally agreed that it is not a feasible attack vector, especially compared to other possible threats like Github being compromised or core developer passwords being compromised. It is emphasized that peer review and keeping an eye out for suspicious commits can help mitigate the risk of attacks.
Updated on: 2023-06-06T11:31:08.355553+00:00