From: Matt McCutchen <matt@mattmccutchen.net>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org, Jeff King <peff@peff.net>
Subject: Re: [PATCH] fetch/push: document that private data can be leaked
Date: Mon, 14 Nov 2016 14:08:02 -0500 [thread overview]
Message-ID: <1479150482.2406.35.camel@mattmccutchen.net> (raw)
In-Reply-To: <xmqqbmxhyjij.fsf@gitster.mtv.corp.google.com>
On Mon, 2016-11-14 at 11:00 -0800, Junio C Hamano wrote:
> Matt McCutchen <matt@mattmccutchen.net> writes:
>
> >
> > >
> > > Yup, and then "do not push to untrustworthy place without
> > > checking
> > > what you are pushing", too?
> >
> > If there is no private data in the repository, then there is no
> > need
> > for the user to check what they are pushing. As I've indicated
> > before,
> > IMO manually checking each push would not be a workable security
> > measure in the long term anyway.
>
> Then what is?
Don't put private data in the same repository, then the whole issue
becomes moot. Am I missing something?
Matt
next prev parent reply other threads:[~2016-11-14 19:08 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-28 21:39 Fetch/push lets a malicious server steal the targets of "have" lines Matt McCutchen
2016-10-28 22:00 ` Junio C Hamano
2016-10-28 22:16 ` Matt McCutchen
2016-10-29 1:11 ` Junio C Hamano
2016-10-29 3:33 ` Matt McCutchen
2016-10-29 13:39 ` Jeff King
2016-10-29 16:08 ` Matt McCutchen
2016-10-29 19:10 ` Jeff King
2016-10-30 7:53 ` Junio C Hamano
2016-11-13 1:25 ` [PATCH] fetch/push: document that private data can be leaked Matt McCutchen
2016-11-14 2:57 ` Junio C Hamano
2016-11-14 18:28 ` Matt McCutchen
2016-11-14 18:20 ` [PATCH] doc: mention transfer data leaks in more places Matt McCutchen
2016-11-14 19:19 ` Junio C Hamano
2016-11-14 19:00 ` [PATCH] fetch/push: document that private data can be leaked Junio C Hamano
2016-11-14 19:07 ` Jeff King
2016-11-14 19:47 ` Junio C Hamano
2016-11-14 19:08 ` Matt McCutchen [this message]
[not found] ` <CAPc5daVOxmowdiTU3ScFv6c_BRVEJ+G92gx_AmmKnR-WxUKv-Q@mail.gmail.com>
2016-10-29 16:07 ` Fetch/push lets a malicious server steal the targets of "have" lines Matt McCutchen
2016-10-30 8:03 ` Junio C Hamano
2016-11-13 2:10 ` Matt McCutchen
2016-10-29 17:38 ` Jon Loeliger
2016-10-30 8:16 ` Junio C Hamano
2016-11-13 2:44 ` Matt McCutchen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1479150482.2406.35.camel@mattmccutchen.net \
--to=matt@mattmccutchen.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.