"Pyeron, Jason J CTR (US)" <jason.j.pyeron.ctr@xxxxxxxx> writes: > In this situation we should assume that the bundle does not have > any content which is already in the public repository, that is it > has the minimum data to make it pass a git bundle verify from the > public repositories point of view. We would then take the bundle > and pipe it though the "git-bundle2text" program which would > result in a "human" inspectable format as opposed to the packed > format[2]. The security reviewer would then see all the > information being released and with the help of the public > repository see how the data changes the repository. The bundle file is a thinly wrapped packfile, with extra information that tells what objects in the bundle are the tips of histories and what objects the repository the bundle gets unbundled has to have. So your "git-bundle2text" would likely to involve fetching from the bundle and inspecting the resulting history and the working tree files. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html