From: Junio C Hamano <gitster@pobox.com>
To: "Carlsson\, Magnus" <Magnus.Carlsson@arris.com>
Cc: "git\@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: Fetching commit instead of ref
Date: Tue, 19 Dec 2017 08:07:02 -0800 [thread overview]
Message-ID: <xmqqtvwmwvkp.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <1513672915856.50628@arris.com> (Magnus Carlsson's message of "Tue, 19 Dec 2017 08:41:56 +0000")
"Carlsson, Magnus" <Magnus.Carlsson@arris.com> writes:
> I understand that you don't want to allow people fetching single
> commits all the time, but is there a reason that you don't allow
> SHA instead of references when you fetch an entire tree?
I do not think we don't want to allow "single commit" fetch. We do
not allow fetching histories from an arbitrary point in the graph,
unless we can prove that what gets fetched is what the serving end
intended to expose to the fetcher---you should view it as a security
issue.
The default way to determine that a fetch request is getting only
the things the serving end wanted to publish is to see the requested
tips of the histories to be fetched are all pointed by refs. Which
means that a client of a hosting site can rewind and repoint a ref
after pushing a wrong branch that contained undesirable matter by
accident. Moving the ref to make the undesirable object unreachable
is all that is needed to "hide" it from the public view, even when
the client does not have a way to trigger "gc" immediately on the
hosting site.
There are variants of this security measure. If the hosting site is
willing to spend extra cycles, we could loosen the "is the request
fetching only what is published?" check to see if the requested tips
are reachable from the tips of refs, instead of exactly at refs. It
preserves "a mistake can be hidden with a forced push" property the
same way as above, but it is costly and is prone to abuse.
If you are confident about your pushes all the time, you can take
a stance "anything in the repository is meant to be read". That is
what the "allowAnySHA1InWant" does. Not everybody however wants to
do this for obvious reasons, so it is not a default.
next prev parent reply other threads:[~2017-12-19 16:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-18 12:30 Fetching commit instead of ref Carlsson, Magnus
2017-12-18 18:16 ` Jonathan Tan
2017-12-18 18:22 ` Stefan Beller
2017-12-18 18:44 ` Junio C Hamano
2017-12-19 8:41 ` Carlsson, Magnus
2017-12-19 16:07 ` Junio C Hamano [this message]
2017-12-20 7:48 ` Carlsson, Magnus
2017-12-22 18:47 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqtvwmwvkp.fsf@gitster.mtv.corp.google.com \
--to=gitster@pobox.com \
--cc=Magnus.Carlsson@arris.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).