You're following the wrong train down the wrong tracks. Git [0-9a-f]{40} is to CVS 1[.][1-9][0-9]+. You're arguing that CVS is more secure because its commits are sequential numbers.

On Sat, Sep 20, 2014 at 4:20 PM, Ulrich Mueller <ulm@gentoo.org> wrote:
>>>>> On Sat, 20 Sep 2014, hasufell  wrote:

>>> This is a bug in git. Do you want us to wait until it is resolved?
>>
>> Not a bug. There are VCSs (like Subversion or Bazaar) that use simple
>> revision numbers to identify their commits. Git happens to use a hash,
>> which is perfectly fine as long as accidental collisions are unlikely.
>> Neither has to do anything with security, though.

> Because there are other VCSs it is not a bug??

No, but with any other VCS we wouldn't have this discussion. Git using
SHA-1 obscures the fact that an additional security layer is needed.
This can be either a secure channel for accessing the repository
(developers pushing their commits to it), or signed Manifests that
ensure integrity of the tree distributed to users.

> Of course it is a bug since it is in the gpg-signing chain and to
> use it in a practical way is very unlikely.

> So you are suggesting to not migrate at all or severely break the
> workflow because someone might forge _working code_ with a specific
> SHA1? There is no efficient algorithm for that afaik, those are just
> about finding _any_ collision and even then it takes considerable
> resources that can be used to break gentoo in much easier ways.

Weakness of SHA-1 is discussed since several years, and it is
generally recommended that one should slowly move away from it.
Therefore I would find it strange if we (in 2014!) deployed a system
relying on it, while in our present Manifest files SHA-1 was already
abandoned long time ago, in favour of more secure hashes. It looks
like a move in the wrong direction.

Ulrich