On Thu, 25 May 2006, Eric W. Biederman wrote: > > My basic argument is that starting a pull with a commit that is not a > reference is no worse than staring a pull from a broken repository. The > same checks that protects us should work in either case. I think Junio reacted to the subject line, which was somewhat badly phrased. You're not looking to transfer random objects, you're looking to _start_ a branch at any arbitrary known point. However, Junio's point is probably that the "any valid SHA1" might actually point to a broken tree, even if it exists on the server. Of course, in that case hopefully git-rev-list exits with an error, and the server doesn't generate any pack at all rather than generating a broken one. However, there's a (questionable) security issue: what if the server doesn't _want_ to expose certain branches? Arguably, if you know the top SHA1, you likely know all that it contains, but it may be a valid argument to say that if the SHA1 isn't an exported branch, you shouldn't necessarily be able to follow it. Linus - : send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html