On Tue, Sep 6, 2011 at 14:24, Junio C Hamano <gitster@xxxxxxxxx> wrote: > Interestingly, we did say what commit the requesters based their changes > on, but did not give the person who performs a fetch & merge to make sure > he fetched the right branch. ... > diff --git a/git-request-pull.sh b/git-request-pull.sh > @@ -71,6 +71,7 @@ git show -s --format='The following changes since commit %H: > > are available in the git repository at:' $baserev && > echo " $url $branch" && > +echo "for you to fetch changes up to $headrev" > echo && Better than what we had before. I was sort of hoping for changing the pull line slightly to include the SHA-1. E.g. suppose instead the line was: echo " $url $headrev" and git pull passed the $headrev down to git fetch, which then found any reference that points exactly at $headrev and fetches that. The branch name is now lost for the merge summary, but could be guessed from the advertisement similar to how HEAD is guessed. Git pull could also then validate that the commit its merging in FETCH_HEAD is what was passed on the command line. Then verification of the SHA-1 is automatic by Git, and doesn't require a human. If the pull request was sent by GPG signed email, and the MUA checked the signature, the puller has pretty reasonable assurance over the content they are bringing into their repository. -- Shawn. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html