On Mon, Nov 14, 2016 at 11:00:04AM -0800, Junio C Hamano wrote: > Matt McCutchen <matt@xxxxxxxxxxxxxxxxx> writes: > > >> Yup, and then "do not push to untrustworthy place without checking > >> what you are pushing", too? > > > > If there is no private data in the repository, then there is no need > > for the user to check what they are pushing. As I've indicated before, > > IMO manually checking each push would not be a workable security > > measure in the long term anyway. > > Then what is? Don't answer; this is a rhetorical question. > > The answer is "do not push to untrustworthy place", if you are > unable to check what you are pushing. I think "check what you are pushing" only covers one case (attacker lies to you during a fetch, and you accidentally push that back, thinking they already have it). But consider the other case mentioned: the attacker lies to you while pushing and _says_ they have X, then deduces information from the delta you generate. The only advice there is "do not push to an untrusted place from a repository containing private objects". So I think the in-between answer is "it is OK to push to an untrustworthy place, but do not do it from a repo that may contain secret contents". -Peff