So, like, Junio C Hamano said: > Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> writes: > > > Then the server generates a commit X3 that lists Y2 as a parent, even > > though it doesn't have Y2, and advances 'x' to X3. The victim fetches > > 'x': > > > > victim server > > > > Y1---Y2---- (Y2) > > / \ \ > > ---O---O---X1---X2---X3 ---O---O---X1---X2---X3 > > > > Then the server rolls back 'x' to X2: > > > > victim server > > > > Y1---Y2---- > > / \ > > ---O---O---X1---X2---X3 ---O---O---X1---X2 > > Ah, I see. My immediate reaction is that you can do worse things in > the reverse direction compared to this, but your scenario does sound > bad already. Is there an existing protocol provision, or an extension to the protocol that would allow a distrustful client to say to the server, "Really, you have Y2? Prove it." And expect the server to respond with a SHA1 sequence back to a common SHA (in this case the left-most O). If so, a user could designate some branch (Y) as "sensitive". Or, a whole repo could be so designated and the client then effectivey treats the server as a semi-hostile witness. Dunno. jdl