philpennock/go-bindata.txt.asc

## go-bindata.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am Phil Pennock, I program in Go.  I am writing this text on 2018-02-08.
It should be found PGP-signed from a key in the strong-set, so that this
public attestation can be verified by others.

To the best of my knowledge, I am in no way affiliated with whomever has
registered the new "jteeuwen" GitHub account.

My laptop has github.com/jteeuwen/go-bindata checked out in the GOPATH;
I did not clone it myself, it was a dependency of some other project which was
checked out.  (Two pieces of local data back this conclusion).

The repository was cloned on 2017-10-25 and there is only one entry in the
reflog: the initial clone:

a0ff256 (HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/jteeuwen/go-bindata

The last commit is "a0ff2567cfb70903282db057e799fd826784d41d" from 2015-10-23.

This matches the content which I see today in the GitHub repository which
someone else has created.

Thus I conclude that either there has been a practical second-preimage SHA1
collision attack against Git, or the repository contents really do match the
contents of three months ago.

I strongly suspect that it's the latter case and that the content is a
good-faith restoration to unbreak things, rather than an attack.

- -Phil Pennock, 2018-02-08

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQROXBeef/xNv45sEy9REE5mjdBEgQUCWny+CgAKCRBREE5mjdBE
gREFAP0TxwlzvP4QlJu7pHgH8AV90VPSVXJ8yTSgL79TGeTe7QD+KnWFvw+YU9O0
5p5ZJjmHQm2/qRmfS+hFyn+67Jtshw+JAjMEAQEIAB0WIQTGk6A04e1u6VTK4toT
2tmcfkFRnAUCWny+CgAKCRAT2tmcfkFRnOgJD/wIeZHWnM9AX25hJc6aL8CX4V0k
+AeKab14pNbVnkjldphhmiqNiOQ8EyjBF8jI+vIr+K7c/BrxKHHaAELhWq07UrpS
Dtfchvn/sBexcRqvBLKUxf7KKfn5rCHqzwZPgx0pEHza8fs1dSLAuQ7lIoI/BiRg
/kZhQ7ihkRMmutccB7X+kZXJG1gPakLXltF/R4IlG4PEXaAgZSP31+4fcRAkM/sb
a39zxhYp/BSIDkRNI0TAZY0K9LGYE2dm3yKisXolUsphpMgQf+zvoTORpotcGTOb
1ZRV8tkNuDvGa3YVgkcbwklLuIavm9gGi1yXd6GFCLXwlzfD+Co85uzdYz16UanN
RUF7yXDA4+9qGd7b1NGEnzLaFBq0BiO6zh3NsNSqCLyR+sIDwHS2r8Y8u52ZOTNk
A3tJDQsSwwWYHhz/ZXq5Tcm9QxYHJxNG2YLLQ7QmKSH49LXm+BDikM1qJOcDCzoV
xTXoxYK74NOXcAm9VALWHF+aTioR6K5NAk98f4/K6OzMKuWh6X14Tu0RlWqijK6j
PRsrLkz3e6jWZ+l3e5fzeBI3xKycrkunq226XH6UuGfs91L7FTyM0npV7a9veXYg
yDqYIPGqNZyMndgfGqIcuu3DxAuhrI2raEMGFVTPSjxJ9iYiKDkDrCM4KPd0YJVJ
PiWVO83zpYYzdULn4A==
=hfNQ
-----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA256

	I am Phil Pennock, I program in Go. I am writing this text on 2018-02-08.
	It should be found PGP-signed from a key in the strong-set, so that this
	public attestation can be verified by others.

	To the best of my knowledge, I am in no way affiliated with whomever has
	registered the new "jteeuwen" GitHub account.

	My laptop has github.com/jteeuwen/go-bindata checked out in the GOPATH;
	I did not clone it myself, it was a dependency of some other project which was
	checked out. (Two pieces of local data back this conclusion).

	The repository was cloned on 2017-10-25 and there is only one entry in the
	reflog: the initial clone:

	a0ff256 (HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/jteeuwen/go-bindata

	The last commit is "a0ff2567cfb70903282db057e799fd826784d41d" from 2015-10-23.

	This matches the content which I see today in the GitHub repository which
	someone else has created.

	Thus I conclude that either there has been a practical second-preimage SHA1
	collision attack against Git, or the repository contents really do match the
	contents of three months ago.

	I strongly suspect that it's the latter case and that the content is a
	good-faith restoration to unbreak things, rather than an attack.

	- -Phil Pennock, 2018-02-08

	-----BEGIN PGP SIGNATURE-----

	iHUEARYIAB0WIQROXBeef/xNv45sEy9REE5mjdBEgQUCWny+CgAKCRBREE5mjdBE
	gREFAP0TxwlzvP4QlJu7pHgH8AV90VPSVXJ8yTSgL79TGeTe7QD+KnWFvw+YU9O0
	5p5ZJjmHQm2/qRmfS+hFyn+67Jtshw+JAjMEAQEIAB0WIQTGk6A04e1u6VTK4toT
	2tmcfkFRnAUCWny+CgAKCRAT2tmcfkFRnOgJD/wIeZHWnM9AX25hJc6aL8CX4V0k
	+AeKab14pNbVnkjldphhmiqNiOQ8EyjBF8jI+vIr+K7c/BrxKHHaAELhWq07UrpS
	Dtfchvn/sBexcRqvBLKUxf7KKfn5rCHqzwZPgx0pEHza8fs1dSLAuQ7lIoI/BiRg
	/kZhQ7ihkRMmutccB7X+kZXJG1gPakLXltF/R4IlG4PEXaAgZSP31+4fcRAkM/sb
	a39zxhYp/BSIDkRNI0TAZY0K9LGYE2dm3yKisXolUsphpMgQf+zvoTORpotcGTOb
	1ZRV8tkNuDvGa3YVgkcbwklLuIavm9gGi1yXd6GFCLXwlzfD+Co85uzdYz16UanN
	RUF7yXDA4+9qGd7b1NGEnzLaFBq0BiO6zh3NsNSqCLyR+sIDwHS2r8Y8u52ZOTNk
	A3tJDQsSwwWYHhz/ZXq5Tcm9QxYHJxNG2YLLQ7QmKSH49LXm+BDikM1qJOcDCzoV
	xTXoxYK74NOXcAm9VALWHF+aTioR6K5NAk98f4/K6OzMKuWh6X14Tu0RlWqijK6j
	PRsrLkz3e6jWZ+l3e5fzeBI3xKycrkunq226XH6UuGfs91L7FTyM0npV7a9veXYg
	yDqYIPGqNZyMndgfGqIcuu3DxAuhrI2raEMGFVTPSjxJ9iYiKDkDrCM4KPd0YJVJ
	PiWVO83zpYYzdULn4A==
	=hfNQ
	-----END PGP SIGNATURE-----