On 07.03.2012 22:27, Ævar Arnfjörð Bjarmason wrote:
Does something other than git-fsck actually check whether the collection of blobs you're getting from the remote when you clone have sensible sha1's? What'll happen if he replaces that 550MB blob with a 0 byte blob but hacks the object store so that it pretends to have the same sha1?
This is something I tested once because of security concerns (i.e. what happens if a malicious intruder just drops something else into the object store) and if I remember correctly only git-fsck was able to spot the switch. But I didn't test cloning, only a few local operations.
-- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html