

Comments
Hacker News
> We complied with standard responsible disclosure procedure throughout this work. We initiated responsible disclosure with GNU and Git on Jan 16th 2026, as well as Github on March 3rd 2026; as of writing, unfortunately this issue has failed to be addressed by Git nor any Git forge.by java-man
Why would the author have disclosed the issue to GNU? As far as I know, they don't have anything to do with the development of Git. Perhaps it's because they run a Git server for their Savannah forge, but then again, so does pretty much every other forge out there, most of which are far more widely used.
by logological
by smitop
I like your vastly simpler reproduction of the issue, too. :-)
by phyzome
I don’t think this is true on either count: systems that pin to commits frequently don’t look at commit signatures at all, and there is no particular assumption of uniqueness between object IDs and contents (given that object IDs can point to each other across namespaces, e.g. a tag reference that peels to a commit).
(I also agree with the points below about this probably not being a useful form of malleability: there are a nearly infinite number of ways to “malleate” janky encodings like GPG packets and CMS. The much more interesting malleability is when an attacker forges a signature over contents the victim did not intend to sign, which is not demonstrated.)
by woodruffw
Join the discussion
Write your take first — we'll ask for email only when you're ready to publish.
- Hacker News
> We complied with standard responsible disclosure procedure throughout this work. We initiated responsible disclosure with GNU and Git on Jan 16th 2026, as well as Github on March 3rd 2026; as of writing, unfortunately this issue has failed to be addressed by Git nor any Git forge.by java-man- > We complied with standard responsible disclosure procedure throughout this work. We initiated responsible disclosure with GNU and Git on Jan 16th 2026…
Why would the author have disclosed the issue to GNU? As far as I know, they don't have anything to do with the development of Git. Perhaps it's because they run a Git server for their Savannah forge, but then again, so does pretty much every other forge out there, most of which are far more widely used.
by logological - I don't think this is really a problem; I wrote about my thoughts at https://iter.ca/post/git-malleate/by smitop
- Yeah, I can imagine that there might be some esoteric situation where this becomes problematic but it's really not clear what it would be.
I like your vastly simpler reproduction of the issue, too. :-)
by phyzome - > Systems that pin to commit hashes (e.g. Go module proxies, Nix flake locks, Github Actions references, Dockerfiles naming a specific commit, etc) rely on the assumption that a hash is a unique handle for content under a given signer.
I don’t think this is true on either count: systems that pin to commits frequently don’t look at commit signatures at all, and there is no particular assumption of uniqueness between object IDs and contents (given that object IDs can point to each other across namespaces, e.g. a tag reference that peels to a commit).
(I also agree with the points below about this probably not being a useful form of malleability: there are a nearly infinite number of ways to “malleate” janky encodings like GPG packets and CMS. The much more interesting malleability is when an attacker forges a signature over contents the victim did not intend to sign, which is not demonstrated.)
by woodruffw
Related stories
Kani: A Model Checker for Rust
arxiv.org · 114 points · 7 comments
Decoding the obfuscated bash script on a Uniqlo t-shirt
tris.sherliker.net · 1063 points · 181 comments
StreetComplete: Fixing OpenStreetMap, one tiny quest at a time
streetcomplete.app · 761 points · 182 comments
Every new car sold in the European Union must include a driver monitoring camera
allaboutcookies.org · 736 points · 969 comments
Chat Control 1.0 and 2.0 Explained
fightchatcontrol.eu · 645 points · 238 comments
Microsoft fire idTech team at Id software
gamefromscratch.com · 597 points · 533 comments