Shawn Pearce <spearce@xxxxxxxxxxx> writes: > A stateless nonce could look like: > > nonce = HMAC_SHA1( SHA1(site+path) + '.' + now, site_key ) > > where site_key is a private key known to the server. It doesn't have > to be per-repo. > > receive-pack would then be willing to accept any nonce whose timestamp > is within a window, e.g. 10 minutes of the current time, and whose > signature verifies in the HMAC. The 10 minute window is important to > allow clients time to generate the object list, perform delta > compression, and begin transmitting to the server. Hmph, don't you send the "finally tell the other end" the sequence of "update this ref from old to new" and the packdata separately? I think we have a FLUSH in between, and the push certificate is given before the FLUSH, which you do not have to wait for 10 minutes. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html