Patrick Georgi via coreboot wrote:
My argument is solely on complexity, but please don't trust that hash too much.
If I shouldn't trust "160000 commit 4c523ed10f25de872ac0513ebd6ca53d3970b9de vboot" too much, why should I trust "040000 tree 4c523ed10f25de872ac0513ebd6ca53d3970b9de vboot" (where the repo referred to through the "commit" entry comes from the very same server)?
Let's say that you've audited the files some time in the past, found them to be good, and have noted down the hash to catch obvious repo tampering or changes in the submodule commit, saying to audit anew.
If you later need to re-fetch the submodule contents (maybe in a local clone into a new directory) then merely the hash is not very reliable. SHA-2 would be a lot better than SHA-1, which is in turn a lot better than MD5, but just a hash is a lot weaker than the original audit.
//Peter