Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Public attestation of state witnessing regarding a Go repository ownership change
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I am Phil Pennock, I program in Go. I am writing this text on 2018-02-08.
It should be found PGP-signed from a key in the strong-set, so that this
public attestation can be verified by others.
To the best of my knowledge, I am in no way affiliated with whomever has
registered the new "jteeuwen" GitHub account.
My laptop has github.com/jteeuwen/go-bindata checked out in the GOPATH;
I did not clone it myself, it was a dependency of some other project which was
checked out. (Two pieces of local data back this conclusion).
The repository was cloned on 2017-10-25 and there is only one entry in the
reflog: the initial clone:
a0ff256 (HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/jteeuwen/go-bindata
The last commit is "a0ff2567cfb70903282db057e799fd826784d41d" from 2015-10-23.
This matches the content which I see today in the GitHub repository which
someone else has created.
Thus I conclude that either there has been a practical second-preimage SHA1
collision attack against Git, or the repository contents really do match the
contents of three months ago.
I strongly suspect that it's the latter case and that the content is a
good-faith restoration to unbreak things, rather than an attack.
- -Phil Pennock, 2018-02-08
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQROXBeef/xNv45sEy9REE5mjdBEgQUCWny+CgAKCRBREE5mjdBE
gREFAP0TxwlzvP4QlJu7pHgH8AV90VPSVXJ8yTSgL79TGeTe7QD+KnWFvw+YU9O0
5p5ZJjmHQm2/qRmfS+hFyn+67Jtshw+JAjMEAQEIAB0WIQTGk6A04e1u6VTK4toT
2tmcfkFRnAUCWny+CgAKCRAT2tmcfkFRnOgJD/wIeZHWnM9AX25hJc6aL8CX4V0k
+AeKab14pNbVnkjldphhmiqNiOQ8EyjBF8jI+vIr+K7c/BrxKHHaAELhWq07UrpS
Dtfchvn/sBexcRqvBLKUxf7KKfn5rCHqzwZPgx0pEHza8fs1dSLAuQ7lIoI/BiRg
/kZhQ7ihkRMmutccB7X+kZXJG1gPakLXltF/R4IlG4PEXaAgZSP31+4fcRAkM/sb
a39zxhYp/BSIDkRNI0TAZY0K9LGYE2dm3yKisXolUsphpMgQf+zvoTORpotcGTOb
1ZRV8tkNuDvGa3YVgkcbwklLuIavm9gGi1yXd6GFCLXwlzfD+Co85uzdYz16UanN
RUF7yXDA4+9qGd7b1NGEnzLaFBq0BiO6zh3NsNSqCLyR+sIDwHS2r8Y8u52ZOTNk
A3tJDQsSwwWYHhz/ZXq5Tcm9QxYHJxNG2YLLQ7QmKSH49LXm+BDikM1qJOcDCzoV
xTXoxYK74NOXcAm9VALWHF+aTioR6K5NAk98f4/K6OzMKuWh6X14Tu0RlWqijK6j
PRsrLkz3e6jWZ+l3e5fzeBI3xKycrkunq226XH6UuGfs91L7FTyM0npV7a9veXYg
yDqYIPGqNZyMndgfGqIcuu3DxAuhrI2raEMGFVTPSjxJ9iYiKDkDrCM4KPd0YJVJ
PiWVO83zpYYzdULn4A==
=hfNQ
-----END PGP SIGNATURE-----
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.