On Tue, May 9, 2017 at 3:16 PM, Jeff King <peff@xxxxxxxx> wrote: > On Tue, May 09, 2017 at 11:20:42AM -0700, Jonathan Tan wrote: > >> fetch-pack, when fetching a literal SHA-1 from a server that is not >> configured with uploadpack.allowtipsha1inwant (or similar), always >> returns an error message of the form "Server does not allow request for >> unadvertised object %s". However, it is sometimes the case that such >> object is advertised. >> >> Teach fetch-pack to also check the SHA-1s of the refs in the received >> ref advertisement if a literal SHA-1 was given by the user. > > Hmm. That makes sense generally, as the request should succeed. But it > seems like we're creating a client that will sometimes succeed and > sometimes fail, and the reasoning will be somewhat opaque to the user. > I have a feeling I'm missing some context on when you'd expect this to > kick in. Specifically, someone I know was looking at building an application that is passed only a SHA-1 for the tip of a ref on a popular hosting site[1]. They wanted to run `git fetch URL SHA1`, but this failed because the site doesn't have upload.allowtipsha1inwant enabled. However the SHA1 was clearly in the output of git ls-remote. So a workaround is to do this in shell, which is just weird: r=$(git ls-remote $url | grep ^$sha1); if [ -n "$r" ]; then exec git fetch $url $r:refs/tmp/foo else echo >&2 "cannot find $sha1" exit 1 fi For various reasons they expected this to work, because it works against other sites that do have upload.allowtipsha1inwant enabled. And I personally just expected it to work because the fetch client accepts SHA-1s, and the wire protocol uses "want SHA1" not "want ref", and the SHA-1 passed on the command line was currently in the advertisement when the connection opened, so its certainly something the server is currently willing to serve. The application in question is using a SHA-1 rather than a ref name, because thats what it was given by something else. And the other thing basically wants this to fail-fast if it can't get that exact SHA-1. So to pass a ref name to git fetch the supplier would have to actually pass a tuple of ref+sha1, and then the fetcher has to check that the ref it just obtained provides the sha1 it expected. So this all turned into a bug report by me to Jonathan Tan, because git fetch violated my assumption of what it would do if I handed it a SHA-1 and the SHA-1 was currently the tip of a remote ref. [1] github.com