Jesse Keating wrote:
> On Oct 7, 2011, at 8:21 AM, Till Maas wrote:
>> On Fri, Oct 07, 2011 at 07:53:25AM -0700, Jesse Keating wrote:
>>
>>> Might have gone quicker if you pull via git:// and then only push
>>> via ssh:// reducing your ssh handshakes by half.
>>
>> How do you ensure the integrity of the git repo if it is pulled via
>> git://? As far as I can see doing this automatically is an invitation to
>> perform man-in-the-middle attacks.
[...]
> Sure that's a risk. It'd take a fairly sophisticated attach to take
> advantage of it, but yes, it's a risk. Strikes me as easier to just
> fake your way into the packager group and upload your bad-bits that
> way. Everything is a balance between risk and performance.
Quite true.
For anyone that wanted a bit of both, you could pull via git and then
verify the hash of the branches before you you used them. It's quick
to use git ls-remote to get that information over ssh, for one branch,
or just heads, or whatever.
[tmz@panaeolus git (master)]$ git ls-remote ssh://pkgs.fedoraproject.org/git master
f8faec03bd41627fb60e26004b1727d30fabe94a refs/heads/master
[tmz@panaeolus git (master)]$ git for-each-ref refs/remotes/origin/master
f8faec03bd41627fb60e26004b1727d30fabe94a commit refs/remotes/origin/master
Or just using cat:
[tmz@panaeolus git (master)]$ cat .git/refs/remotes/origin/master
f8faec03bd41627fb60e26004b1727d30fabe94a
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Religion. A daughter of Hope and Fear, explaining to Ignorance the
nature of the Unknowable.
-- Ambrose Bierce, The Enlarged Devil's Dictionary, 1906
Attachment:
pgpZ_VT1ccI0Q.pgp
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
