> -----Original Message----- > From: Junio C Hamano > Sent: Monday, November 26, 2012 3:38 PM > > "Pyeron, Jason J CTR (US)" writes: > > > In this situation we should assume that the bundle does not have > > any content which is already in the public repository, that is it > > has the minimum data to make it pass a git bundle verify from the > > public repositories point of view. We would then take the bundle > > and pipe it though the "git-bundle2text" program which would > > result in a "human" inspectable format as opposed to the packed > > format[2]. The security reviewer would then see all the > > information being released and with the *** Assumed that the inspector had a copy of the original public repo > > help of the public > > repository see how the data changes the repository. > > The bundle file is a thinly wrapped packfile, with extra information > that tells what objects in the bundle are the tips of histories and > what objects the repository the bundle gets unbundled has to have. > So your "git-bundle2text" would likely to involve fetching from the > bundle and inspecting the resulting history and the working tree > files. Yea, I knew the inspection tool was going to get messy. -Jason
<<attachment: smime.p7s>>