Hi, You might or might not be aware of this thread: https://groups.google.com/forum/#!topic/binary-transparency/f-BI4o8HZW0 Anyways, this got me to take a look around, and I noticed that parse_object does SHA-1 validation through check_sha1_signature. What surprised me is that parse_object_buffer doesn't. So we end up with inconsistent behavior across commands: $ git init $ echo a > a ; echo b > b $ git add a b $ git cat-file blob 78981922613b2afb6025042ff6bd878ac1994e85 a $ cp -f .git/objects/61/780798228d17af2d34fce4cfbdf35556832472 .git/objects/78/981922613b2afb6025042ff6bd878ac1994e85 $ git cat-file blob 78981922613b2afb6025042ff6bd878ac1994e85 b $ git show 78981922613b2afb6025042ff6bd878ac1994e85 error: sha1 mismatch 78981922613b2afb6025042ff6bd878ac1994e85 fatal: bad object 78981922613b2afb6025042ff6bd878ac1994e85 Shouldn't parse_object_buffer also do check_sha1_signature? Mike -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html