Skip to content

Switch to sha256 for our repositories

The weakness of SHA1 in git poses a risk to the integrity of our repositories. This can be mitigated by either using signed commits (NB: signed tags do not mitigate this risk), or switching to sha256 as object format.

There are a number of caveats:

  • sha256 support is stable since git 2.42, but bookworm still ships an earlier version
  • i'm not sure gitolite supports sha256 (gitaly does!)
  • i'm not sure if and to which degree it's possible to merge between sha1 and sha256 repositories

Let's start by testing various scenario's and evaluating which repositories we can migrate.