Still annoying though. Ideally default should be to allow fetching any commit reachable from a branch or tag. Seems that commit graphs already make this pretty fast? -----Original Message----- From: Konstantin Ryabitsev <konstantin@xxxxxxxxxxxxxxxxxxx> Sent: Monday, December 12, 2022 12:06 PM To: Yagnatinsky, Mark : Markets Pre Trade <mark.yagnatinsky@xxxxxxxxxxxx> Cc: git@xxxxxxxxxxxxxxx Subject: Re: feature request: git clone --branch should accept commit hash CAUTION: This email originated from outside our organisation - konstantin@xxxxxxxxxxxxxxxxxxx Do not click on links, open attachments, or respond unless you recognize the sender and can validate the content is safe. On Mon, Dec 12, 2022 at 04:44:49PM +0000, mark.yagnatinsky@xxxxxxxxxxxx wrote: > Never mind, I see, feature exists but server needs to allow it. Sigh. There are good reasons for remote servers to not allow this by default. Imagine the following scenario: Repo 1: officialrepo.git -- official project repository Repo 2: forkedrepo.git -- a random fork by someone Frequently, these repositories will use a common object storage backend, which allows saving a LOT of space on the remote server. So, on the backend these repositories will be organized as: Repo 0: sharedrepo.git Repo 1: officialrepo.git (with alternates to sharedrepo.git) Repo 2: forkedrepo.git (with alternates to sharedrepo.git) So, if a random developer pushes commit abcde into forkedrepo.git and the backend server pulls that object into sharedrepo.git, you are now able to "see" commit abcde from officialrepo.git. It's just a "loose object" and if you clone officialrepo.git, that object won't be in it, because it's not connected to any of the heads or tags. This situation is frequently abused for silly reasons like making it appear as if Linus committed something that he actually didn't: https://clicktime.symantec.com/15sLvRfRRhRgHZarrDPj3?h=w3w5bFP_4AI8QKPR8q947BcV4VIwZSjyrG0fvyy79kg=&u=https://github.com/torvalds/linux/blob/ac632c504d0b881d7cfb44e3fdde3ec30eb548d9/Makefile%23L6 For this reason, Github prints that big warning at the top to tell you that what you are viewing isn't actually part of linux.git. However, there's no way to print this warning if you issue "git clone", so if this feature were to be allowed by default, it would make it easy for someone to trick you into cloning malicious commits by making it look like you're cloning an official repository. I go into it in some detail here: https://clicktime.symantec.com/15sM1FrhtK7GhWQnPmnsf?h=9VLQcMVeC9X4IS0ge7Qa4ficEFudanLVd4MBBtCkVek=&u=https://people.kernel.org/monsieuricon/cross-fork-object-sharing-in-git-is-not-a-bug Best regards, Konstantin This message is for information purposes only. It is not a recommendation, advice, offer or solicitation to buy or sell a product or service, nor an official confirmation of any transaction. It is directed at persons who are professionals and is intended for the recipient(s) only. It is not directed at retail customers. This message is subject to the terms at: https://www.cib.barclays/disclosures/web-and-email-disclaimer.html. For important disclosures, please see: https://www.cib.barclays/disclosures/sales-and-trading-disclaimer.html regarding marketing commentary from Barclays Sales and/or Trading desks, who are active market participants; https://www.cib.barclays/disclosures/barclays-global-markets-disclosures.html regarding our standard terms for Barclays Corporate and Investment Bank where we trade with you in principal-to-principal wholesale markets transactions; and in respect to Barclays Research, including disclosures relating to specific issuers, see: http://publicresearch.barclays.com. __________________________________________________________________________________ If you are incorporated or operating in Australia, read these important disclosures: https://www.cib.barclays/disclosures/important-disclosures-asia-pacific.html. __________________________________________________________________________________ For more details about how we use personal information, see our privacy notice: https://www.cib.barclays/disclosures/personal-information-use.html. __________________________________________________________________________________
