Thanks Junio for your answer! >From my simple tests it seems that github doesn't have this on by default so that seems a little dull. Do you know if there is a way to actually find a ref that contains the SHA from a remote? Finally, you say that its a security feature, but from the log it feels like you are actually downloading things first and then you determine if you are allowed to fetch it or? $ git fetch subrepo 50f730db793e0733b159326c5a3e78fd48cedfec:refs/remote/subrepo/foo-commit remote: Counting objects: 2311, done. remote: Total 2311 (delta 0), reused 0 (delta 0), pack-reused 2311 -- >>> Receiving objects: 100% (2311/2311), 703.64 KiB | 0 bytes/s, done. Resolving deltas: 100% (1174/1174), done. error: Server does not allow request for unadvertised object 50f730db793e0733b159326c5a3e78fd48cedfec -- Magnus MAGNUS CARLSSON Staff Software Engineer ARRIS o: +46 13 36 75 92 e: magnus.carlsson@xxxxxxxxx w: www.arris.com ARRIS: Legal entity: Arris Sweden AB - Registered Office: Teknikringen 2, 583 30 Linkoping, Sweden - Reg No:556518-5831 - VAT No:SE 556518-583 This electronic transmission (and any attached document) is for the sole use of the individual or entity to whom it is addressed. It is confidential and may be attorney-client privileged. In any event the Sender reserves, to the fullest extent, any "legal advice privilege". Any further distribution or copying of this message is strictly prohibited. If you received this message in error, please notify the Sender immediately and destroy the attached message (and all attached documents). ________________________________________ From: Junio C Hamano <gitster@xxxxxxxxx> Sent: Tuesday, December 19, 2017 17:07 To: Carlsson, Magnus Cc: git@xxxxxxxxxxxxxxx Subject: Re: Fetching commit instead of ref "Carlsson, Magnus" <Magnus.Carlsson@xxxxxxxxx> writes: > I understand that you don't want to allow people fetching single > commits all the time, but is there a reason that you don't allow > SHA instead of references when you fetch an entire tree? I do not think we don't want to allow "single commit" fetch. We do not allow fetching histories from an arbitrary point in the graph, unless we can prove that what gets fetched is what the serving end intended to expose to the fetcher---you should view it as a security issue. The default way to determine that a fetch request is getting only the things the serving end wanted to publish is to see the requested tips of the histories to be fetched are all pointed by refs. Which means that a client of a hosting site can rewind and repoint a ref after pushing a wrong branch that contained undesirable matter by accident. Moving the ref to make the undesirable object unreachable is all that is needed to "hide" it from the public view, even when the client does not have a way to trigger "gc" immediately on the hosting site. There are variants of this security measure. If the hosting site is willing to spend extra cycles, we could loosen the "is the request fetching only what is published?" check to see if the requested tips are reachable from the tips of refs, instead of exactly at refs. It preserves "a mistake can be hidden with a forced push" property the same way as above, but it is costly and is prone to abuse. If you are confident about your pushes all the time, you can take a stance "anything in the repository is meant to be read". That is what the "allowAnySHA1InWant" does. Not everybody however wants to do this for obvious reasons, so it is not a default.
