Shawn Pearce <spearce@xxxxxxxxxxx> writes: > As you know, the stateless HTTP thing doesn't allow the nonce on the > server to be carried from the initial ref advertisement into the final > receive-pack. We would either need to write the nonce to disk and load > it back up later (ick), or use some sort of stateless nonce. > > A stateless nonce could look like: > > nonce = HMAC_SHA1( SHA1(site+path) + '.' + now, site_key ) > > where site_key is a private key known to the server. It doesn't have > to be per-repo. Doing the above naively will force you to check 600 HMAC if your slack is for 10 minutes. You could just instead use nonce = now '-' HMAC_SHA1(path + '.' + now, site_key) and the validation side can make sure the same site_key was used, and also "now" readable from the plaintext part is fresh enough, with a single HMAC. I may be missing something, but with this, we can always validate that "nonce" is what the repository issued (whether "stateless" is used or not). The hook script can decide if "now" is recent enough or not without bothering receive-pack at all. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html