On Tue, Feb 02, 2016 at 10:57:01AM +0900, Mike Hommey wrote: > Hi, > > You might or might not be aware of this thread: > https://groups.google.com/forum/#!topic/binary-transparency/f-BI4o8HZW0 > > Anyways, this got me to take a look around, and I noticed that > parse_object does SHA-1 validation through check_sha1_signature. What > surprised me is that parse_object_buffer doesn't. So we end up with > inconsistent behavior across commands: > > $ git init > $ echo a > a ; echo b > b > $ git add a b > $ git cat-file blob 78981922613b2afb6025042ff6bd878ac1994e85 > a > $ cp -f .git/objects/61/780798228d17af2d34fce4cfbdf35556832472 .git/objects/78/981922613b2afb6025042ff6bd878ac1994e85 > $ git cat-file blob 78981922613b2afb6025042ff6bd878ac1994e85 > b > $ git show 78981922613b2afb6025042ff6bd878ac1994e85 > error: sha1 mismatch 78981922613b2afb6025042ff6bd878ac1994e85 > fatal: bad object 78981922613b2afb6025042ff6bd878ac1994e85 > > Shouldn't parse_object_buffer also do check_sha1_signature? Well, except cat-file doesn't use parse_object_buffer either... Mike -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html