Jonathan Tan <jonathantanmy@xxxxxxxxxx> writes: > Thanks for your comments. If you're referring to the codepath > involving write_sha1_file() (for example, builtin/hash-object -> > index_fd or builtin/unpack-objects), that is fine because > write_sha1_file() invokes freshen_packed_object() and > freshen_loose_object() directly to check if the object already exists > (and thus does not invoke the new mechanism in this patch). Is that a good thing, though? It means that you an attacker can feed one version to the remote object store your "grab blob" hook gets the blobs from, and have you add a colliding object locally, and the usual "are we recording the same object as existing one?" check is bypassed.