On Fri, 2016-10-28 at 18:11 -0700, Junio C Hamano wrote: > Ah, I see. My immediate reaction is that you can do worse things in > the reverse direction compared to this, but your scenario does sound > bad already. Are you saying that clients connecting to untrusted servers already face worse risks that people should know about, so there is no point in documenting this one? I guess I don't know about the other risks aside from accepting a corrupt object, which should be preventable by enabling fetch.fsckObjects. It seems we need either a statement that connecting to untrusted servers is officially unsupported or a description of the specific risks. Matt