Jeff King <peff@xxxxxxxx> writes: > On Tue, Mar 01, 2016 at 01:36:05PM -0800, Junio C Hamano wrote: > >> Even though the command does read the bundle header and checks to >> see if it looks reasonable, the thin-pack data stream that follows >> the header in the bundle file is not checked. More importantly, >> because the thin-pack data does not have a trailing checksum like >> on-disk packfiles do, there isn't much "verification" the command >> can do without unpacking the objects from the stream even if it >> wanted to. > > Are you sure about that trailing checksum thing? No. I misread the fact that we do not say the final csum on the command output from pack-objects in the --stdout case. We do call the sha1close() to append the csum at the end of the pack stream; we just do not make it available to the caller who is driving the pack-object procedure. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html