Public attestation of state witnessing regarding a Go repository ownership change
-----BEGIN PGP SIGNED MESSAGE----- | |
Hash: SHA256 | |
I am Phil Pennock, I program in Go. I am writing this text on 2018-02-08. | |
It should be found PGP-signed from a key in the strong-set, so that this | |
public attestation can be verified by others. | |
To the best of my knowledge, I am in no way affiliated with whomever has | |
registered the new "jteeuwen" GitHub account. | |
My laptop has github.com/jteeuwen/go-bindata checked out in the GOPATH; | |
I did not clone it myself, it was a dependency of some other project which was | |
checked out. (Two pieces of local data back this conclusion). | |
The repository was cloned on 2017-10-25 and there is only one entry in the | |
reflog: the initial clone: | |
a0ff256 (HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/jteeuwen/go-bindata | |
The last commit is "a0ff2567cfb70903282db057e799fd826784d41d" from 2015-10-23. | |
This matches the content which I see today in the GitHub repository which | |
someone else has created. | |
Thus I conclude that either there has been a practical second-preimage SHA1 | |
collision attack against Git, or the repository contents really do match the | |
contents of three months ago. | |
I strongly suspect that it's the latter case and that the content is a | |
good-faith restoration to unbreak things, rather than an attack. | |
- -Phil Pennock, 2018-02-08 | |
-----BEGIN PGP SIGNATURE----- | |
iHUEARYIAB0WIQROXBeef/xNv45sEy9REE5mjdBEgQUCWny+CgAKCRBREE5mjdBE | |
gREFAP0TxwlzvP4QlJu7pHgH8AV90VPSVXJ8yTSgL79TGeTe7QD+KnWFvw+YU9O0 | |
5p5ZJjmHQm2/qRmfS+hFyn+67Jtshw+JAjMEAQEIAB0WIQTGk6A04e1u6VTK4toT | |
2tmcfkFRnAUCWny+CgAKCRAT2tmcfkFRnOgJD/wIeZHWnM9AX25hJc6aL8CX4V0k | |
+AeKab14pNbVnkjldphhmiqNiOQ8EyjBF8jI+vIr+K7c/BrxKHHaAELhWq07UrpS | |
Dtfchvn/sBexcRqvBLKUxf7KKfn5rCHqzwZPgx0pEHza8fs1dSLAuQ7lIoI/BiRg | |
/kZhQ7ihkRMmutccB7X+kZXJG1gPakLXltF/R4IlG4PEXaAgZSP31+4fcRAkM/sb | |
a39zxhYp/BSIDkRNI0TAZY0K9LGYE2dm3yKisXolUsphpMgQf+zvoTORpotcGTOb | |
1ZRV8tkNuDvGa3YVgkcbwklLuIavm9gGi1yXd6GFCLXwlzfD+Co85uzdYz16UanN | |
RUF7yXDA4+9qGd7b1NGEnzLaFBq0BiO6zh3NsNSqCLyR+sIDwHS2r8Y8u52ZOTNk | |
A3tJDQsSwwWYHhz/ZXq5Tcm9QxYHJxNG2YLLQ7QmKSH49LXm+BDikM1qJOcDCzoV | |
xTXoxYK74NOXcAm9VALWHF+aTioR6K5NAk98f4/K6OzMKuWh6X14Tu0RlWqijK6j | |
PRsrLkz3e6jWZ+l3e5fzeBI3xKycrkunq226XH6UuGfs91L7FTyM0npV7a9veXYg | |
yDqYIPGqNZyMndgfGqIcuu3DxAuhrI2raEMGFVTPSjxJ9iYiKDkDrCM4KPd0YJVJ | |
PiWVO83zpYYzdULn4A== | |
=hfNQ | |
-----END PGP SIGNATURE----- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment