philpennock · February 8, 2018 21:17
diff --git a/go-bindata.txt.asc b/go-bindata.txt.asc
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256

 I am Phil Pennock, I program in Go.  I am writing this text on 2018-02-08.
 It should be found PGP-signed from a key in the strong-set, so that this
 public attestation can be verified by others.

 To the best of my knowledge, I am in no way affiliated with whomever has
 registered the new "jteeuwen" GitHub account.

 My laptop has github.com/jteeuwen/go-bindata checked out in the GOPATH;
 I did not clone it myself, it was a dependency of some other project which was
 checked out.  (Two pieces of local data back this conclusion).

 The repository was cloned on 2017-10-25 and there is only one entry in the
 reflog: the initial clone:

 a0ff256 (HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/jteeuwen/go-bindata

 The last commit is "a0ff2567cfb70903282db057e799fd826784d41d" from 2015-10-23.

 This matches the content which I see today in the GitHub repository which
 someone else has created.

 Thus I conclude that either there has been a practical second-preimage SHA1
 collision attack against Git, or the repository contents really do match the
 contents of three months ago.

 I strongly suspect that it's the latter case and that the content is a
 good-faith restoration to unbreak things, rather than an attack.

 - -Phil Pennock, 2018-02-08

 -----BEGIN PGP SIGNATURE-----

 iHUEARYIAB0WIQROXBeef/xNv45sEy9REE5mjdBEgQUCWny+CgAKCRBREE5mjdBE
 gREFAP0TxwlzvP4QlJu7pHgH8AV90VPSVXJ8yTSgL79TGeTe7QD+KnWFvw+YU9O0
 5p5ZJjmHQm2/qRmfS+hFyn+67Jtshw+JAjMEAQEIAB0WIQTGk6A04e1u6VTK4toT
 2tmcfkFRnAUCWny+CgAKCRAT2tmcfkFRnOgJD/wIeZHWnM9AX25hJc6aL8CX4V0k
 +AeKab14pNbVnkjldphhmiqNiOQ8EyjBF8jI+vIr+K7c/BrxKHHaAELhWq07UrpS
 Dtfchvn/sBexcRqvBLKUxf7KKfn5rCHqzwZPgx0pEHza8fs1dSLAuQ7lIoI/BiRg
 /kZhQ7ihkRMmutccB7X+kZXJG1gPakLXltF/R4IlG4PEXaAgZSP31+4fcRAkM/sb
 a39zxhYp/BSIDkRNI0TAZY0K9LGYE2dm3yKisXolUsphpMgQf+zvoTORpotcGTOb
 1ZRV8tkNuDvGa3YVgkcbwklLuIavm9gGi1yXd6GFCLXwlzfD+Co85uzdYz16UanN
 RUF7yXDA4+9qGd7b1NGEnzLaFBq0BiO6zh3NsNSqCLyR+sIDwHS2r8Y8u52ZOTNk
 A3tJDQsSwwWYHhz/ZXq5Tcm9QxYHJxNG2YLLQ7QmKSH49LXm+BDikM1qJOcDCzoV
 xTXoxYK74NOXcAm9VALWHF+aTioR6K5NAk98f4/K6OzMKuWh6X14Tu0RlWqijK6j
 PRsrLkz3e6jWZ+l3e5fzeBI3xKycrkunq226XH6UuGfs91L7FTyM0npV7a9veXYg
 yDqYIPGqNZyMndgfGqIcuu3DxAuhrI2raEMGFVTPSjxJ9iYiKDkDrCM4KPd0YJVJ
 PiWVO83zpYYzdULn4A==
 =hfNQ
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA256

	I am Phil Pennock, I program in Go. I am writing this text on 2018-02-08.
	It should be found PGP-signed from a key in the strong-set, so that this
	public attestation can be verified by others.

	To the best of my knowledge, I am in no way affiliated with whomever has
	registered the new "jteeuwen" GitHub account.

	My laptop has github.com/jteeuwen/go-bindata checked out in the GOPATH;
	I did not clone it myself, it was a dependency of some other project which was
	checked out. (Two pieces of local data back this conclusion).

	The repository was cloned on 2017-10-25 and there is only one entry in the
	reflog: the initial clone:

	a0ff256 (HEAD -> master, origin/master, origin/HEAD) HEAD@{0}: clone: from https://github.com/jteeuwen/go-bindata

	The last commit is "a0ff2567cfb70903282db057e799fd826784d41d" from 2015-10-23.

	This matches the content which I see today in the GitHub repository which
	someone else has created.

	Thus I conclude that either there has been a practical second-preimage SHA1
	collision attack against Git, or the repository contents really do match the
	contents of three months ago.

	I strongly suspect that it's the latter case and that the content is a
	good-faith restoration to unbreak things, rather than an attack.

	- -Phil Pennock, 2018-02-08

	-----BEGIN PGP SIGNATURE-----

	iHUEARYIAB0WIQROXBeef/xNv45sEy9REE5mjdBEgQUCWny+CgAKCRBREE5mjdBE
	gREFAP0TxwlzvP4QlJu7pHgH8AV90VPSVXJ8yTSgL79TGeTe7QD+KnWFvw+YU9O0
	5p5ZJjmHQm2/qRmfS+hFyn+67Jtshw+JAjMEAQEIAB0WIQTGk6A04e1u6VTK4toT
	2tmcfkFRnAUCWny+CgAKCRAT2tmcfkFRnOgJD/wIeZHWnM9AX25hJc6aL8CX4V0k
	+AeKab14pNbVnkjldphhmiqNiOQ8EyjBF8jI+vIr+K7c/BrxKHHaAELhWq07UrpS
	Dtfchvn/sBexcRqvBLKUxf7KKfn5rCHqzwZPgx0pEHza8fs1dSLAuQ7lIoI/BiRg
	/kZhQ7ihkRMmutccB7X+kZXJG1gPakLXltF/R4IlG4PEXaAgZSP31+4fcRAkM/sb
	a39zxhYp/BSIDkRNI0TAZY0K9LGYE2dm3yKisXolUsphpMgQf+zvoTORpotcGTOb
	1ZRV8tkNuDvGa3YVgkcbwklLuIavm9gGi1yXd6GFCLXwlzfD+Co85uzdYz16UanN
	RUF7yXDA4+9qGd7b1NGEnzLaFBq0BiO6zh3NsNSqCLyR+sIDwHS2r8Y8u52ZOTNk
	A3tJDQsSwwWYHhz/ZXq5Tcm9QxYHJxNG2YLLQ7QmKSH49LXm+BDikM1qJOcDCzoV
	xTXoxYK74NOXcAm9VALWHF+aTioR6K5NAk98f4/K6OzMKuWh6X14Tu0RlWqijK6j
	PRsrLkz3e6jWZ+l3e5fzeBI3xKycrkunq226XH6UuGfs91L7FTyM0npV7a9veXYg
	yDqYIPGqNZyMndgfGqIcuu3DxAuhrI2raEMGFVTPSjxJ9iYiKDkDrCM4KPd0YJVJ
	PiWVO83zpYYzdULn4A==
	=hfNQ
	-----END PGP SIGNATURE-----
No results found