Jeff King <peff@xxxxxxxx> writes: > We're not doing a coordinated disclosure or special release for this. > Even after these patches, it's possible to get upload-pack to allocate > quite a bit of memory, especially for a large repository. Not to mention > that pack-objects may also allocate quite a bit to serve the pack > itself. So while this is low-hanging fruit, a public-facing Git site > probably still needs to have some kind of external tooling to kill > hungry processes (even if it's just OOM-killing them so they don't hurt > other clients). > > [1/9]: upload-pack: drop separate v2 "haves" array > [2/9]: upload-pack: switch deepen-not list to an oid_array > [3/9]: upload-pack: use oidset for deepen_not list > [4/9]: upload-pack: use a strmap for want-ref lines > [5/9]: upload-pack: accept only a single packfile-uri line > [6/9]: upload-pack: disallow object-info capability by default > [7/9]: upload-pack: always turn off save_commit_buffer > [8/9]: upload-pack: use PARSE_OBJECT_SKIP_HASH_CHECK in more places > [9/9]: upload-pack: free tree buffers after parsing I saw them when they were posted to the security list and they looked good already. Will queue. Thanks.