Presto, crypto, change-o: Git 2.29 goes into final leg of project’s SHA-256 transition

By Julia Schmidt
-
Presto, crypto, change-o: Git 2.29 goes into final leg of project’s SHA-256 transition

Version control system Git 2.29 is now available, fitting the Torvalds-spawn project with experimental SHA-256 support and negative refspecs, amongst other things.

The transition from SHA-1 to SHA-256 has been in the works for a couple of years now. The main motivation for the transition is that SHA-1 had made the project vulnerable to the so-called SHAttered attack, first presented to the public in February 2017. 

Git uses a hash function to name content like files or revisions to facilitate integrity checks, and allow signing them for added trust, amongst other things. In order to keep those qualities, the project first switched to a more secure SHA-1 implementation to mitigate any known risks, but soon looked into a transition to SHA-256, which seemed more prudent in the long run.

Git 2.29 is the first version of the tool that can be operated in SHA-256 mode. Before giving it a go, you need to enable the latter during the initialisation process by using the -object-format=sha256 option. 

Users have to be aware, however, that SHA-1 and SHA-256 repositories aren’t interoperable yet, so they’ll have to stick to one of the object formats in their repos. And to their own hosting solution for that matter, since GitHub, GitLab and Co aren’t done implementing their SHA-256 repo support yet.

Readers more interested in more practical enhancements could look into the new repair subcommand for git worktree, which is supposed to help users left with problems because they moved their worktrees or repositories manually, without telling version control. The worktree command also learned -d as a synonym for –detach to create a new worktree without being on a branch.

Commands like git fetch and git push have also gotten a bit more comfortable to use, since you can now use the ^ indicator to signal which references should be excluded. In earlier versions the only way to make that known was by setting up a list with everything to be included, which could make matters quite complicated. Untracked files can be included into a snapshot now using the –add-file option with git archive.

Other improvements include the new –first-parent option in git bisect to find the first breakage in a first-parent chain quicker, and the addition of git maintenance to take over maintenance tasks that aren’t limited to object database cleaning – the way git gc is, for example. 

More details and notes on fixes since the last release can be found in the project’s release notes.

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'
Where next for Jamstack? Netlify survey avoids the word, highlights rise of Astro
Docker buys AtomicJar to integrate container-based test automation
AWS promotes cell-based architecture for 'resilience at scale'