Junio C Hamano <gitster@xxxxxxxxx> writes: > I am inclined to say that it has no security implications. You have > to be able to write a bogus loose object in an object store you > already have write access to in the first place, in order to cause > this ... Note that you could social-engineer others to fetch from you and feed a small enough update that results in loose objects created in their repositories, without you having a direct write access to the repository. The codepath under discussion in this thread however cannot be used as an attack vector via that route, because the "fetch from elsewhere" codepath runs verification of the incoming data stream before storing the results (either in loose object files, or in a packfile) on disk.