On Mon, 11 Feb 2008, Martin Koegler wrote: > On Mon, Feb 11, 2008 at 03:41:06PM -0500, Nicolas Pitre wrote: > > On Mon, 11 Feb 2008, Martin Koegler wrote: > > > Please remember, that --strict is used for pushing data. > > > > And what exactly does it provide in terms of safetiness that index-pack > > doesn't already do? I'm not sure I fully understood the goal here. > > The patch is about verifing the content of objects. My intented use is > for running a (restricted) server, which allows pushing via git-daemon > (or git-shell) from (untrusted) users. It can be also used to catch > corrupt objects, before they leave your repository, but this is for me > only a side effect. > > receive-pack accepts any crap (anything, which you can pipe into > git-hash-object with -t parameter of your choice), if the pack file > format is correct. > > But lots of code in git assums that the object content is welformd. > > Having such objects somewhere reachable in your repository will > disturb cloning (In the best case you get a error messages, in the > worst a child process of upload-pack segfaults), gitweb, ... . To fix > it, you will need a person with native access to the repository in the > worst case. OK that makes sense. I think this is a good idea to always have some sanity checks on any incoming objects so to make sure they're well formed and valid before giving them a SHA1 value, and bail out as soon as any error is found. >From my understanding that's what your patch is doing, right? (sorry I can't find them in my mailbox anymore). This can be done as objects are coming in just fine and requires no extra memory, and I would say this should be done unconditionally all the time. After all, the Git coherency model is based on the SHA1 checksuming, and therefore it is a good idea to never validate any malformed objects with a SHA1. So I'm all in favor of such validation always performed in index-pack and unpack-objects. As to making sure those objects are well connected... well this is a technically different issue entirely, and I wonder if a special mode to fsck might not be a better solution. For example, fsck could be made to validate object connectivity, starting from the new ref(s), and stopping object walking as soon as a reference to an object not included in the newly received pack is encountered. This could be run from some hook to decide whether or not to update the new refs, and to delete the pack otherwise. Nicolas - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
