From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: Eric Sunshine <sunshine@sunshineco.com>,
Git List <git@vger.kernel.org>, Jeff King <peff@peff.net>,
Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: Re: [PATCH 3/4] config doc: elaborate on what transfer.fsckObjects does
Date: Thu, 31 May 2018 09:32:24 +0200 [thread overview]
Message-ID: <87d0xc9t6f.fsf@evledraar.gmail.com> (raw)
In-Reply-To: <xmqq4liwpggs.fsf@gitster-ct.c.googlers.com>
On Fri, May 25 2018, Junio C Hamano wrote:
> Eric Sunshine <sunshine@sunshineco.com> writes:
>
>>> +will instead be left unreferenced in the repository. That's considered
>>> +a bug, and hopefully future git release will implement a quarantine
>>> +for the "fetch" side as well.
>>
>> If this was a "BUGS" section in a man-page, the above might be less
>> scary. In this context, however, I wonder if it makes sense to tone it
>> down a bit:
>>
>> On the fetch side, malformed objects will instead be left
>> unreferenced in the repository. (However, in the future, such
>> objects may be quarantined for "fetch", as well.)
>
> I had an impression that nobody else sayd it is considered as a
> bug. Do we need to say it in this series? I'd rather not--with or
> without such a future modification (or lack of plan thereof),
> teaching the fetch side to pay attention to the various fsck tweaks
> is an improvement.
I changed this in v2 to tone it down, but given what Jeff's mentioned in
https://public-inbox.org/git/20180531060259.GE17344@sigill.intra.peff.net/
I'm inclined to bring back some stronger wording for it. Something like:
Due to the non-quarantine nature of the fetch.fsckObjects
implementation it can not be relied upon like receive.fsckObjects
can. As objects are unpacked they're written to the object store, so
there can be cases where malicious objects get introduced even
though the "fetch" fail, only to have a subsequent "fetch" succeed
because only new incoming objects are checked, not those that have
already been written to the store.
This is considered a bug and will likely be fixed in future versions
of git. For now the paranoid need to find some way to emulate the
quarantine environment if they'd like the same protection as
"push". E.g. in the case of an internal mirror do the mirroring in
two steps, one to fetch the untrusted objects, and then do a second
"push" (which will use the quarantine) to another internal repo, and
have internal clients consume this pushed-to repository, or embargo
internal fetches and only allow them once a full "fsck" has run (and
no new fetches have happened in the meantime).
next prev parent reply other threads:[~2018-05-31 7:32 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-24 15:25 BUG: No way to set fsck.<msg-id> when cloning Ævar Arnfjörð Bjarmason
2018-05-24 15:58 ` Kevin Daudt
2018-05-24 17:04 ` Ævar Arnfjörð Bjarmason
2018-05-24 19:02 ` Jeff King
2018-05-24 19:35 ` [PATCH 0/4] fsck: doc fixes & fetch.fsck.* implementation Ævar Arnfjörð Bjarmason
2018-05-25 19:28 ` [PATCH v2 0/5] " Ævar Arnfjörð Bjarmason
2018-07-27 14:37 ` [PATCH v3 00/10] " Ævar Arnfjörð Bjarmason
2018-07-30 22:13 ` SZEDER Gábor
2018-07-27 14:37 ` [PATCH v3 01/10] receive.fsck.<msg-id> tests: remove dead code Ævar Arnfjörð Bjarmason
2018-07-27 19:11 ` Junio C Hamano
2018-07-27 19:45 ` Ævar Arnfjörð Bjarmason
2018-07-27 22:19 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 02/10] config doc: don't describe *.fetchObjects twice Ævar Arnfjörð Bjarmason
2018-07-27 19:19 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 03/10] config doc: unify the description of fsck.* and receive.fsck.* Ævar Arnfjörð Bjarmason
2018-07-27 19:29 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 04/10] config doc: elaborate on what transfer.fsckObjects does Ævar Arnfjörð Bjarmason
2018-07-27 19:41 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 05/10] config doc: elaborate on fetch.fsckObjects security Ævar Arnfjörð Bjarmason
2018-07-27 19:45 ` Junio C Hamano
2018-07-28 14:09 ` Ævar Arnfjörð Bjarmason
2018-07-27 14:37 ` [PATCH v3 06/10] transfer.fsckObjects tests: untangle confusing setup Ævar Arnfjörð Bjarmason
2018-07-27 14:37 ` [PATCH v3 07/10] fetch: implement fetch.fsck.* Ævar Arnfjörð Bjarmason
2018-07-27 20:18 ` Junio C Hamano
2018-07-27 21:08 ` Junio C Hamano
2018-07-30 14:58 ` Duy Nguyen
2018-07-30 15:06 ` Ævar Arnfjörð Bjarmason
2018-07-27 14:37 ` [PATCH v3 08/10] fsck: test & document {fetch,receive}.fsck.* config fallback Ævar Arnfjörð Bjarmason
2018-07-27 21:28 ` Junio C Hamano
2018-07-27 14:37 ` [PATCH v3 09/10] fsck: add stress tests for fsck.skipList Ævar Arnfjörð Bjarmason
2018-07-27 14:37 ` [PATCH v3 10/10] fsck: test and document unknown fsck.<msg-id> values Ævar Arnfjörð Bjarmason
2018-07-27 19:50 ` Ævar Arnfjörð Bjarmason
2018-07-27 21:43 ` Junio C Hamano
2018-07-28 13:55 ` Ævar Arnfjörð Bjarmason
2018-07-30 14:47 ` Junio C Hamano
2018-05-25 19:28 ` [PATCH v2 1/5] config doc: don't describe *.fetchObjects twice Ævar Arnfjörð Bjarmason
2018-05-25 21:07 ` Eric Sunshine
2018-05-25 19:28 ` [PATCH v2 2/5] config doc: unify the description of fsck.* and receive.fsck.* Ævar Arnfjörð Bjarmason
2018-05-25 21:16 ` Eric Sunshine
2018-05-28 9:45 ` Junio C Hamano
2018-05-28 16:44 ` Ævar Arnfjörð Bjarmason
2018-05-30 3:05 ` Junio C Hamano
2018-05-30 3:39 ` Junio C Hamano
2018-05-31 7:20 ` Ævar Arnfjörð Bjarmason
2018-06-01 0:11 ` Junio C Hamano
2018-05-25 19:28 ` [PATCH v2 3/5] config doc: elaborate on what transfer.fsckObjects does Ævar Arnfjörð Bjarmason
2018-05-25 21:19 ` Eric Sunshine
2018-05-25 19:28 ` [PATCH v2 4/5] config doc: mention future aspirations for transfer.fsckObjects Ævar Arnfjörð Bjarmason
2018-05-25 20:33 ` Christian Couder
2018-05-25 19:28 ` [PATCH v2 5/5] fetch: implement fetch.fsck.* Ævar Arnfjörð Bjarmason
2018-05-30 3:47 ` Junio C Hamano
2018-05-31 7:23 ` Ævar Arnfjörð Bjarmason
2018-05-28 9:48 ` [PATCH 0/4] fsck: doc fixes & fetch.fsck.* implementation Junio C Hamano
2018-05-24 19:35 ` [PATCH 1/4] config doc: don't describe *.fetchObjects twice Ævar Arnfjörð Bjarmason
2018-05-25 3:18 ` Junio C Hamano
2018-05-24 19:35 ` [PATCH 2/4] config doc: unify the description of fsck.* and receive.fsck.* Ævar Arnfjörð Bjarmason
2018-05-24 19:53 ` Eric Sunshine
2018-05-24 20:12 ` Ævar Arnfjörð Bjarmason
2018-05-24 22:49 ` Eric Sunshine
2018-05-25 2:07 ` Junio C Hamano
2018-05-24 19:35 ` [PATCH 3/4] config doc: elaborate on what transfer.fsckObjects does Ævar Arnfjörð Bjarmason
2018-05-24 20:15 ` Eric Sunshine
2018-05-25 3:22 ` Junio C Hamano
2018-05-31 7:32 ` Ævar Arnfjörð Bjarmason [this message]
2018-05-24 19:35 ` [PATCH 4/4] fetch: implement fetch.fsck.* Ævar Arnfjörð Bjarmason
2018-05-25 4:09 ` Junio C Hamano
2018-05-24 17:04 ` BUG: No way to set fsck.<msg-id> when cloning Jeff King
2018-05-24 20:48 ` Thomas Braun
2018-05-25 7:36 ` Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d0xc9t6f.fsf@evledraar.gmail.com \
--to=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=peff@peff.net \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).