From: Jeff King <peff@peff.net>
To: "Coiner, John" <John.Coiner@amd.com>
Cc: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Duy Nguyen" <pclouds@gmail.com>,
"Derrick Stolee" <stolee@gmail.com>,
"Git Mailing List" <git@vger.kernel.org>
Subject: Re: git, monorepos, and access control
Date: Thu, 6 Dec 2018 02:23:00 -0500 [thread overview]
Message-ID: <20181206072300.GB29787@sigill.intra.peff.net> (raw)
In-Reply-To: <cdeb9dc9-ac25-23c8-f3b9-9a7987be7df0@amd.com>
On Wed, Dec 05, 2018 at 11:42:09PM +0000, Coiner, John wrote:
> > For instance, Git is very eager to try to find delta-compression
> > opportunities between objects, even if they don't have any relationship
> > within the tree structure. So imagine I want to know the contents of
> > tree X. I push up a tree Y similar to X, then fetch it back, falsely
> > claiming to have X but not Y. If the server generates a delta, that may
> > reveal information about X (which you can then iterate to send Y', and
> > so on, treating the server as an oracle until you've guessed the content
> > of X).
> Another good point. I wouldn't have thought of either of these attacks.
> You're scaring me (appropriately) about the risks of adding security to
> a previously-unsecured interface. Let me push on the smudge/clean
> approach and maybe that will bear fruit.
If you do look into that approach, check out how git-lfs works. In fact,
you might even be able to build around lfs itself. It's already putting
placeholder objects into the repository, and then faulting them in from
external storage. All you would need to do is lock down access to that
external storage, which is typically accessed via http.
(That all assumes you're OK with sharing the actual filenames with
everybody, and just restricting access to the blob contents. There's no
way to clean/smudge a whole subtree. For that you'd have to use
submodules).
-Peff
next prev parent reply other threads:[~2018-12-06 7:23 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-05 20:13 git, monorepos, and access control Coiner, John
2018-12-05 20:34 ` Ævar Arnfjörð Bjarmason
2018-12-05 20:43 ` Derrick Stolee
2018-12-05 20:58 ` Duy Nguyen
2018-12-05 21:12 ` Ævar Arnfjörð Bjarmason
2018-12-05 23:42 ` Coiner, John
2018-12-06 7:23 ` Jeff King [this message]
2018-12-05 21:01 ` Jeff King
2018-12-06 0:23 ` brian m. carlson
2018-12-06 1:08 ` Junio C Hamano
2018-12-06 7:20 ` Jeff King
2018-12-06 9:17 ` Ævar Arnfjörð Bjarmason
2018-12-06 9:30 ` Jeff King
2018-12-06 20:08 ` Johannes Schindelin
2018-12-06 22:15 ` Stefan Beller
2018-12-06 22:59 ` Coiner, John
2018-12-05 22:37 ` Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181206072300.GB29787@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=John.Coiner@amd.com \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=pclouds@gmail.com \
--cc=stolee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).