• Kees Cook's concern: There was a discussion about the increasing chance of collisions in Linux's "Fixes" tag using 12-character commit SHA prefix. Geert wanted to raise the minimum short id to 16 characters but faced push-back.
• Example of 12-character prefix collision: Against the start of Git history (commit 1da177e4c3f4 ("Linux-2.6.12-rc2")), there are 590 "Fixes: 1da177e4c3f4" in the Git log.
• Tools affected: Tools like linux-next's "Fixes tag checker", the Linux CNA's commit parser, and Kees' own CVE lifetime analysis scripts do programmatic analysis of the "Fixes" tag and had no support for collisions.
• Breaking the tools: Kees broke these tools with commit 1da177e4c3f4 ("docs: git SHA prefixes are for humans"), resulting in the error "short object ID 1da177e4c3f4 is ambiguous".
• Not in upstream yet: This commit is not in the upstream Linux tree to avoid breaking other tools. It can be used as a test commit for those who want to fix it ahead of future collisions.
• Thanks to lucky-commit project: The lucky-commit project grinds trailing commit message whitespace to find collisions. It took about 6 hours on Kees' OpenCL-enabled RTX 3080 GPU to find the 12-character prefix collision.
• For more: For questions, comments, etc., see this thread.