From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org, Shawn Pearce <spearce@spearce.org>
Subject: Re: [PATCH v3 3/8] upload/receive-pack: allow hiding ref hierarchies
Date: Tue, 05 Feb 2013 07:45:01 -0800 [thread overview]
Message-ID: <7vwqumvk76.fsf@alter.siamese.dyndns.org> (raw)
In-Reply-To: <20130205085047.GA24973@sigill.intra.peff.net> (Jeff King's message of "Tue, 5 Feb 2013 03:50:48 -0500")
Jeff King <peff@peff.net> writes:
> On Wed, Jan 30, 2013 at 10:45:37AM -0800, Junio C Hamano wrote:
>
>> Teach upload-pack and receive-pack to omit some refs from their
>> initial advertisements by paying attention to the transfer.hiderefs
>> multi-valued configuration variable. Any ref that is under the
>> hierarchies listed on the value of this variable is excluded from
>> responses to requests made by "ls-remote", "fetch", "clone", "push",
>> etc.
>>
>> A typical use case may be
>>
>> [transfer]
>> hiderefs = refs/pull
>>
>> to hide the refs that are internally used by the hosting site and
>> should not be exposed over the network.
>
> In the earlier review, I mentioned making this per-service, but I see
> that is not the case here. Do you have an argument against doing so?
Perhaps then I misunderstood your intention. By reminding me of the
receive-pack side, I thought you were hinting to unify these two
into one, which I did. There is no argument against it.
> And I
> have not seen complaints about the current system.
Immediately after I added github to the set of places I push into,
which I think is long before you joined GitHub, I noticed that _my_
repository gets contaminated by second rate commits called pull
requests, and I may even have complained, but most likely I didn't,
as I could easily tell that, even though I know it is _not_ the only
way, nor even the best way [*1*], to implement the GitHub's pull
request workflow, I perfectly well understood that it would be the
most expedient way for GitHub folks to implement this feature.
I think you should take lack of complaints with a huge grain of
salt. It does not suggest much.
> Gerrit's refs/changes may be a different story, if they have a large
> enough number of them to make upload-pack's ref advertisement
> overwhelming.
This is probably a stale count, but platform/frameworks/base part of
AOSP has 3200+ refs; the corresponding repository internal to Google
has 60k+ refs (this is because there are many in-between states
recorded in the internal repository, even though the end result
published to the open source repository may be the same) and results
in ~4MB advertisement. Which is fairly significant when all you are
interested in doing is an "Am I up to date?" poll.
[Footnote]
*1* From the ownership point of view, objects that are only
reachable from these refs/pull/* refs do *not* belong to the
requestee, until the requestee chooses to accept the changes.
A malicious requestor can fork your repository, add an objectionable
blob to it, and throw a pull request at you. GitHub shows that the
blob now belongs to your repository, so the requestor turns around
and file a DMCA takedown complaint against your repository. A
clueful judge would then agree with the complaint after running a
"clone --mirror" and seeing the blob in your repository. Oops?
A funny thing is that you cannot "push :refs/pull/1/head" to remove
it anymore (I think in the early days, I took them out by doing this
a few times, but I may be misremembering), so you cannot make
yourself into compliance, even though you are not the offending
party. Your repository is held responsible for whatever the rogue
requestor added. That is not very nice, is it?
In an ideal world, I would have chosen to create a dedicated fork
managed by the hosting company (i.e. GitHub) for your repository
whose only purpose is to house these refs/pull/ refs (the hosting
site is ultimately who has to respond to DMCA notices anyway, and an
arrangement like this makes it clear who is reponsible for what).
The e-mail sent to you to let you know about outstanding pull
requests and the web UI could just point at that forked repository,
not your own (you also could choose to leave the outging pull
requests in the requestor's repository, but that is only OK if you
do not worry about (1) a requestor sending a pull request, then
updating the branch the pull request talks about later, to trick you
with bait-and-switch, or (2) a requestor sending a pull request,
thinks he is done with the topic and removes the repository).
next prev parent reply other threads:[~2013-02-05 15:45 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-30 18:45 [PATCH v3 0/8] Hiding refs Junio C Hamano
2013-01-30 18:45 ` [PATCH v3 1/8] upload-pack: share more code Junio C Hamano
2013-01-30 18:45 ` [PATCH v3 2/8] upload-pack: simplify request validation Junio C Hamano
2013-01-30 18:45 ` [PATCH v3 3/8] upload/receive-pack: allow hiding ref hierarchies Junio C Hamano
2013-02-05 8:50 ` Jeff King
2013-02-05 15:45 ` Junio C Hamano [this message]
2013-02-06 11:31 ` Jeff King
2013-02-06 15:57 ` Junio C Hamano
2013-01-30 18:45 ` [PATCH v3 4/8] parse_fetch_refspec(): clarify the codeflow a bit Junio C Hamano
2013-01-30 18:45 ` [PATCH v3 5/8] fetch: use struct ref to represent refs to be fetched Junio C Hamano
2013-01-30 18:45 ` [PATCH v3 6/8] upload-pack: optionally allow fetching from the tips of hidden refs Junio C Hamano
2013-01-30 18:45 ` [PATCH v3 7/8] fetch: fetch objects by their exact SHA-1 object names Junio C Hamano
2013-02-05 9:19 ` Jeff King
2013-02-05 11:18 ` Jeff King
2013-02-05 15:55 ` Junio C Hamano
2013-01-30 18:45 ` [PATCH v3 8/8] WIP: receive.allowupdatestohidden Junio C Hamano
2013-02-05 8:04 ` [PATCH v3 0/8] Hiding refs Michael Haggerty
2013-02-05 8:33 ` Jonathan Nieder
2013-02-05 10:29 ` Michael Haggerty
2013-02-05 17:38 ` Junio C Hamano
2013-02-06 10:34 ` Duy Nguyen
2013-02-06 19:17 ` Junio C Hamano
2013-02-06 19:45 ` Jonathan Nieder
2013-02-06 21:50 ` Michael Haggerty
2013-02-06 22:12 ` Junio C Hamano
2013-02-06 22:26 ` Ævar Arnfjörð Bjarmason
2013-02-07 0:12 ` Junio C Hamano
2013-02-07 0:16 ` Jeff King
2013-02-07 10:30 ` Ævar Arnfjörð Bjarmason
2013-02-07 18:25 ` Junio C Hamano
2014-02-23 2:44 ` Duy Nguyen
2014-03-11 1:49 ` Jeff King
2014-03-11 19:32 ` Junio C Hamano
2014-03-11 20:05 ` Jeff King
2014-03-11 20:25 ` Junio C Hamano
2014-03-11 20:36 ` Jeff King
2014-03-14 12:37 ` Duy Nguyen
2014-03-14 16:45 ` Shawn Pearce
2014-03-14 23:30 ` Duy Nguyen
2014-03-15 0:09 ` Shawn Pearce
2014-03-18 4:17 ` Jeff King
2014-03-18 14:27 ` Duy Nguyen
2014-03-18 14:36 ` Duy Nguyen
2014-03-15 1:23 ` Duy Nguyen
2014-03-18 4:18 ` Jeff King
2013-02-06 22:56 ` Jeff King
2013-02-05 17:36 ` Junio C Hamano
2013-02-05 17:27 ` Junio C Hamano
2013-02-06 10:17 ` Michael Haggerty
2013-02-06 19:55 ` Jonathan Nieder
2013-02-06 22:01 ` Michael Haggerty
2013-02-07 15:58 ` Jed Brown
2013-02-09 23:23 ` Junio C Hamano
2013-02-10 4:45 ` Jed Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7vwqumvk76.fsf@alter.siamese.dyndns.org \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).