From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Jeff King <peff@peff.net>,
Eric Sunshine <sunshine@sunshineco.com>,
Christian Couder <christian.couder@gmail.com>
Subject: Re: [PATCH v3 05/10] config doc: elaborate on fetch.fsckObjects security
Date: Sat, 28 Jul 2018 16:09:43 +0200 [thread overview]
Message-ID: <871sbnv4d4.fsf@evledraar.gmail.com> (raw)
In-Reply-To: <xmqqeffomphy.fsf@gitster-ct.c.googlers.com>
On Fri, Jul 27 2018, Junio C Hamano wrote:
> Ævar Arnfjörð Bjarmason <avarab@gmail.com> writes:
>
>> +For now, the paranoid need to find some way to emulate the quarantine
>> +environment if they'd like the same protection as "push". E.g. in the
>
> We probably should mention that you can immediately prune, as these
> unwanted crufts are unreferenced. That would probably be a lot easier
> workaround for the intended readers of this document than "find some
> way to emulate".
I'll mention that as well in v6 that "git prune" will get rid of these
objects.
For what it's worth I was imagining something like a system where you're
mirroring every push to some unpatched-git-host.com repo in-house, by
doing a local "git fetch" when you see new data, and you're paranoid
that someone's trying to introduce something like the .gitmodules
security issue to your local mirror, even if you have
transfer.fsckObjects set.
In a case like that, relying on "git prune" is much more fragile. You'd
need to implement your mirror as some loop that does (pseudocode):
while ref = poll_new_refs()
git fetch upstream
git prune --expire=now
As opposed to:
while ref = poll_new_refs()
(git fetch upstream && git prune --expire=now) &
As you might find in some event-based system. I.e. every time you fetch
you need to stop the world and run a full prune, because the potentially
malicious upstream can craft a series of ref updates where one ref
update (which you'll refuse) contains the bad data, but at that point
you have some of those blobs/trees/commits it in your object store, and
then a second ref update references that already existing data and
causes you to update the ref.
It's also much slower and I/O heavy, on an already-pruned linux.git
running 'git prune --expire=now' takes 40 seconds on my machine, as
opposed to:
while ref = poll_new_refs()
(git fetch && git push internal-mirror --mirror) &
Which could take as little time as a second for the whole operation, can
safely be run in parallel, and would be protected because the actually
published internal mirror gets its refs via receive-pack, which uses the
quarantine.
next prev parent reply other threads:[~2018-07-28 14:09 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-24 15:25 BUG: No way to set fsck.<msg-id> when cloning Ævar Arnfjörð Bjarmason
2018-05-24 15:58 ` Kevin Daudt
2018-05-24 17:04 ` Ævar Arnfjörð Bjarmason
2018-05-24 19:02 ` Jeff King
2018-05-24 19:35 ` [PATCH 0/4] fsck: doc fixes & fetch.fsck.* implementation Ævar Arnfjörð Bjarmason
2018-05-25 19:28 ` [PATCH v2 0/5] " Ævar Arnfjörð Bjarmason
2018-07-27 14:37 ` [PATCH v3 00/10] " Ævar Arnfjörð Bjarmason
2018-07-30 22:13 ` SZEDER Gábor
2018-07-27 14:37 ` [PATCH v3 01/10] receive.fsck.<msg-id> tests: remove dead code Ævar Arnfjörð Bjarmason
2018-07-27 19:11 ` Junio C Hamano
2018-07-27 19:45 ` Ævar Arnfjörð Bjarmason
2018-07-27 22:19 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 02/10] config doc: don't describe *.fetchObjects twice Ævar Arnfjörð Bjarmason
2018-07-27 19:19 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 03/10] config doc: unify the description of fsck.* and receive.fsck.* Ævar Arnfjörð Bjarmason
2018-07-27 19:29 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 04/10] config doc: elaborate on what transfer.fsckObjects does Ævar Arnfjörð Bjarmason
2018-07-27 19:41 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 05/10] config doc: elaborate on fetch.fsckObjects security Ævar Arnfjörð Bjarmason
2018-07-27 19:45 ` Junio C Hamano
2018-07-28 14:09 ` Ævar Arnfjörð Bjarmason [this message]
2018-07-27 14:37 ` [PATCH v3 06/10] transfer.fsckObjects tests: untangle confusing setup Ævar Arnfjörð Bjarmason
2018-07-27 14:37 ` [PATCH v3 07/10] fetch: implement fetch.fsck.* Ævar Arnfjörð Bjarmason
2018-07-27 20:18 ` Junio C Hamano
2018-07-27 21:08 ` Junio C Hamano
2018-07-30 14:58 ` Duy Nguyen
2018-07-30 15:06 ` Ævar Arnfjörð Bjarmason
2018-07-27 14:37 ` [PATCH v3 08/10] fsck: test & document {fetch,receive}.fsck.* config fallback Ævar Arnfjörð Bjarmason
2018-07-27 21:28 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 09/10] fsck: add stress tests for fsck.skipList Ævar Arnfjörð Bjarmason
2018-07-27 14:37 ` [PATCH v3 10/10] fsck: test and document unknown fsck.<msg-id> values Ævar Arnfjörð Bjarmason
2018-07-27 19:50 ` Ævar Arnfjörð Bjarmason
2018-07-27 21:43 ` Junio C Hamano
2018-07-28 13:55 ` Ævar Arnfjörð Bjarmason
2018-07-30 14:47 ` Junio C Hamano
2018-05-25 19:28 ` [PATCH v2 1/5] config doc: don't describe *.fetchObjects twice Ævar Arnfjörð Bjarmason
2018-05-25 21:07 ` Eric Sunshine
2018-05-25 19:28 ` [PATCH v2 2/5] config doc: unify the description of fsck.* and receive.fsck.* Ævar Arnfjörð Bjarmason
2018-05-25 21:16 ` Eric Sunshine
2018-05-28 9:45 ` Junio C Hamano
2018-05-28 16:44 ` Ævar Arnfjörð Bjarmason
2018-05-30 3:05 ` Junio C Hamano
2018-05-30 3:39 ` Junio C Hamano
2018-05-31 7:20 ` Ævar Arnfjörð Bjarmason
2018-06-01 0:11 ` Junio C Hamano
2018-05-25 19:28 ` [PATCH v2 3/5] config doc: elaborate on what transfer.fsckObjects does Ævar Arnfjörð Bjarmason
2018-05-25 21:19 ` Eric Sunshine
2018-05-25 19:28 ` [PATCH v2 4/5] config doc: mention future aspirations for transfer.fsckObjects Ævar Arnfjörð Bjarmason
2018-05-25 20:33 ` Christian Couder
2018-05-25 19:28 ` [PATCH v2 5/5] fetch: implement fetch.fsck.* Ævar Arnfjörð Bjarmason
2018-05-30 3:47 ` Junio C Hamano
2018-05-31 7:23 ` Ævar Arnfjörð Bjarmason
2018-05-28 9:48 ` [PATCH 0/4] fsck: doc fixes & fetch.fsck.* implementation Junio C Hamano
2018-05-24 19:35 ` [PATCH 1/4] config doc: don't describe *.fetchObjects twice Ævar Arnfjörð Bjarmason
2018-05-25 3:18 ` Junio C Hamano
2018-05-24 19:35 ` [PATCH 2/4] config doc: unify the description of fsck.* and receive.fsck.* Ævar Arnfjörð Bjarmason
2018-05-24 19:53 ` Eric Sunshine
2018-05-24 20:12 ` Ævar Arnfjörð Bjarmason
2018-05-24 22:49 ` Eric Sunshine
2018-05-25 2:07 ` Junio C Hamano
2018-05-24 19:35 ` [PATCH 3/4] config doc: elaborate on what transfer.fsckObjects does Ævar Arnfjörð Bjarmason
2018-05-24 20:15 ` Eric Sunshine
2018-05-25 3:22 ` Junio C Hamano
2018-05-31 7:32 ` Ævar Arnfjörð Bjarmason
2018-05-24 19:35 ` [PATCH 4/4] fetch: implement fetch.fsck.* Ævar Arnfjörð Bjarmason
2018-05-25 4:09 ` Junio C Hamano
2018-05-24 17:04 ` BUG: No way to set fsck.<msg-id> when cloning Jeff King
2018-05-24 20:48 ` Thomas Braun
2018-05-25 7:36 ` Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871sbnv4d4.fsf@evledraar.gmail.com \
--to=avarab@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=christian.couder@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).