Jeff King <peff@xxxxxxxx> writes: > I suspect it could be made to give similar guarantees, but I don't think > anybody has ever made a conscious effort. I also recall that we thought upload-pack was safe because it does nothing more than what it was asked to do, until we realized that in a lazy clone it would slurp what it is missing from its promisors, at which point it does more than just "serve things from here". What worries me more is the fact that any such evaluation can only be about the current state. A careless change to say pack-objects that allows innocent looking customization to take place _could_ turn out to be triggerable by the repository when upload-pack is run, and the "innocent looking" customization may be more generic than necessary and can be used creatively to cause damage. "Don't allow any customizations to 'rev-list' because its internal is shared with 'pack-objects' that in turn is run from 'upload-pack'" would not be an answer. It is unclear to me how to make sure such an evaluation, that was done once in the past, will stay valid. That is something we need to come up with a viable approach and document, too. Thanks.
