Whatever happened to SHA-256 support in Git?

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
  • libgit2

    A cross-platform, linkable library implementation of Git that you can use in your application.

    > All that is left is the hard work of making the transition to a new hash easy for users — what could be thought of as "the other 90%" of the job.

    If that was all that was left, we could at least be using sha256 for new repositories.

    It seems to me the big missing piece is support in libgit2, which is at least showing signs of progress:

    https://github.com/libgit2/libgit2/pull/6191

  • Gitolite

    Hosting git repositories -- Gitolite allows you to setup git hosting on a central server, with very fine-grained access control and many (many!) more powerful features.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  • Gitea

    Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

    as the article says, you can create a local git repository with SHA-256 hashes today, and it should work fine...but the moment you try to push your repo up to Github, you'll hit a break wall.

    Gitlab also appears to be lacking support [0], and the same with Gitea [1].

    so it's a grey area where Git itself supports SHA-256-based repos, but without the major Git hosting services also supporting them, the support in core Git is somewhat useless.

    0: https://gitlab.com/groups/gitlab-org/-/epics/794

    1: https://github.com/go-gitea/gitea/issues/13794

  • multihash

    Self describing hashes - for future proofing

    Also check out multihash from the IPFS folks: https://github.com/multiformats/multihash

    It's a more robust, well-specified, interoperable version of this concept.

    Though it's probably overkill if you control both the consumer and producer side (i.e. don't need the interoperability) and are just looking to make hash upgrades smoother, in that case a simple version prefix like Go's approach described above has lower overhead.

  • OpenSSL

    TLS/SSL and crypto library

    Googling i noticed there seems to be a bug in openssl where it does not use optimized sha-512 on m1 (but does for sha256) - https://github.com/openssl/openssl/issues/14897 so that might be the explanation.

    Also i think the length of the input matters when comparing sha256 vs sha512.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts