Re: [PATCH] disable grafts during fetch/push/bundle

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 04, 2014 at 12:52:18PM -0800, Junio C Hamano wrote:

> > We already make an attempt to do the right thing in several
> > places by turning off read_replace_refs. However, we missed
> > at least one case (during bundle creation), and we do
> > nothing anywhere to handle grafts.
> 
> "Doing nothing for grafts" has been pretty much a deliberate
> omission.  Because we have no way to transfer how histories are
> grafted together, people cloning from a repository that grafts away
> a commit that records a mistakenly committed sekrit will end up with
> a disjoint history, instead of exposing the sekrit to them, and are
> expected to join the history by recreating grafts (perhaps a README
> of such a project instructs them to do so).  That was deemed far
> better than exposing the hidden history, I think.

I see your point, but I would be tempted to say that the person trying
to hide a secret with grafting is simply wrong to do so. You need to
cement that history with a rewrite if you want to share with people.

I do not recall any past discussion on this topic, and searching the
archive only shows people echoing what I said above. Is this something
we've promised to work in the past?

I'm certainly sympathetic to systems failing to a secure default rather
than doing something that the user does not expect. But at the same
time, if using grafts for security isn't something people reasonably
expect, then failing only hurts the non-security cases.

> And "replace tries to do the right thing" was an attempt to rectify
> that misfeature of grafts in that we now do have a way to transfer
> how the history is grafted together, so that project README does not
> have to instruct the fetcher of doing anything special.

Perhaps the right response is "grafts are broken, use git-replace
instead". But then should we think about deprecating grafts? Again, this
patch was spurred by a real user with a graft trying to push and getting
a confusing error message.

> It _might_ be a misfeature, however, for the object connectivity
> layer to expose a part of the history replaced away to the party
> that fetches from such a repository.  Ideally, the "right thing"
> ought to be to include history that would be omitted if we did not
> have the replacement (i.e. adding parents the underlying commit does
> not record), while not following the history that replacement wants
> to hide (i.e. excluding the commits replacement commits overlay).

I don't really think it's worth the complexity. It's fairly common
knowledge (or at least I think so) that replace refs are a _view_ onto
the history. When you share the history graph, you share the true
objects. You can _also_ share your views in replace/refs, but it is up
to the client to fetch them. If you want to hide things, then you need
to rewrite the true objects, end of story.

I dunno. Maybe there are people who have different expectations.

-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]