Junio C Hamano <gitster@xxxxxxxxx> writes: > Derrick Stolee <derrickstolee@xxxxxxxxxx> writes: > >>> How does a client tell which one it got? Do we register mimetype >>> with iana to use for these two types of files, and have the HTTP >>> downloader to use the information? >> >> My implementation is much dumber than that: it first attempts to >> parse the file as a bundle (looking for a bundle header) and then >> attempts to parse it as a config file after that. If neither >> succeed, then an error is thrown. > > I think that is probably the best implementation after all. > > We cannot trust what the other side tells us. "They claimed that > this is a bundle file and not a table-of-contents, and it does look > like one, but it may be corrupt or even malicious file that may look > like a bundle file on surface, so let's carefully examine it" ought > to be the attitude the receiving side has towards the incoming data. With the above, I do not mean that this new mechanism must be more paranoia than we already are. $ git fetch bootstrap.bndl refs/*:refs/bundle/bootstrap/* should already have sensible error checking, and we should use the available mechanism. But there of course are places the new feature should be careful in its new code, for example, we may want to unbundle all these bundles in quarantined area until we resolve all the prerequisite objects and then move them out of the quarantine, for example, if the new feature rolls its own code to unbundle instead of invoking "git fetch" on it. Even if it spawns "git fetch" on it, it may have to choose the parameters carefully (e.g. the refmap would want to avoid clobbering our own ref namespace, which you plan to do).