Hello everyone. I've done some further research on the security properties of git metadata and I think I've identified something that might be worth discussing. In this case, The issue is related to the refs that point to git tag objects. Specifically, the "loose" nature of tag refs might possibly trick people into installing the wrong revision (version?) of a file. To elaborate, the ref of a tag object can be moved around in the same way a branch can be moved around (either manually or by using git commands). If someone with write access can modify where this ref points to, and points it to another valid tag (e.g., an older, vulnerable version), then many tools that work under the assumption of static tags might mistakenly install/pull the wrong reivision of source code. I've verified that this is possible to pull off in package managers such as PIP, rubygems, gradle(maven), as well as git submodules tracking tags. In order to stay loyal to the way files in the .git directory are ordered, I don't think that making the ref file (or packed refs) files differently is an option. However, I think that it could be possible to store the "origin ref" in the git tag object, so tools can verify that they are looking at the appropriate tag. There might also be a simpler solution to this, and I would appreciate any feedback. What do you guys think? Thanks! Santiago. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html