On Wed, May 30, 2018 at 10:32:19AM +0900, Junio C Hamano wrote: > If we want to also encourage people to vet their own "fetches", I am > not against extending documentation. It just is different from "we > extended the mechanism to help server side protect their clients" > that was the focus of (updated, relative to what is in the tarball) > the description in the release notes. I haven't tested it, but I suspect that doing multiple fetches could result in passing bad objects through a fetch.fsckObjects filter. Because the objects aren't quarantined on fetch, and because fsck_finish() requires the objects to be installed into place, they may still exist in the repository even if we end up rejecting them. Would a subsequent fetch hit the quickfetch() code and update without actually sending the objects again? This problem is specific to the .gitmodules thing, I think, because the other fsck checks are able to die much earlier (before fsck_finish). I think in the long run fetch should implement a similar quarantine procedure to what happens on push. -Peff