On Sat, 2016-10-29 at 09:39 -0400, Jeff King wrote: > I'm not sure I understand how connecting to a remote server to fetch is > a big problem. The server may learn about the existence of particular > sha1s in your repository, but cannot get their content. > > It's the subsequent push that is a problem. > > In the scenarios you've described, I'm mostly inclined to say that the > problem is not git or the protocol itself, but rather lax refspecs. > You mentioned earlier: > > the server can just generate another ref 'xx' pointing to Y2, assuming > it can entice the victim to set up a corresponding local branch > refs/heads/for-server1/xx and push it back. Or if the victim is for > some reason just mirroring back and forth: > > This sounds a lot like "I told git to push a bunch of things without > checking if they were really secret, and it turned out to push some > secret things". IOW I think the problem is not that the server may lie > about what it has, but that the user was not careful about what they > pushed. I dunno. I do not mind making a note in the documentation > explaining the implications of a server lying, but the scenarios seem > pretty contrived to me. Let's focus on the first scenario. There the user is just pulling and pushing a master branch. Are you saying that each time the user pulls, they need to look over all the commits they pulled before pushing them back? I think that's unrealistic, for example, on a busy project with centralized code review or if the user is publishing a project-specific modified version of an upstream library. The natural user expectation is that anything pulled from a public repository is public. But let's see what Junio says in the other subthread. > A much more interesting one, IMHO, is a server whose receive-pack lies > about which objects it has (possibly ones it found out about earlier via > fetch), which provokes the client to generate deltas against objects the > server doesn't have (and thereby leaking information about the base > objects). > > That is a problem no matter how careful your refspecs are. I suspect it > would be a hard attack to pull off in practice, just because it's going > to depend heavily on the content of the specific objects, what kinds of > deltas you can convince the other side to generate, etc. That might > merit a mention in the git-push documentation. Sure, if I end up doing a patch, I'll include this. Matt