From: Michael J Gruber <git@drmicha.warpmail.net>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: Dropping '+' from fetch = +refs/heads/*:refs/remotes/origin/*?
Date: Fri, 02 Sep 2011 09:42:49 +0200 [thread overview]
Message-ID: <4E6088F9.5070102@drmicha.warpmail.net> (raw)
In-Reply-To: <20110902000039.GB9339@sigill.intra.peff.net>
Jeff King venit, vidit, dixit 02.09.2011 02:00:
> On Thu, Sep 01, 2011 at 11:25:31AM -0700, Junio C Hamano wrote:
>
>> Suggested reading:
>>
>> http://git-blame.blogspot.com/2011/08/how-to-inject-malicious-commit-to-git.html
>>
>> I am wondering if we are better off applying something along the lines of
>> this patch, so that with the default configuration, users can notice if
>> their upstream unexpectedly rewound their branches.
>
> Hmm. This feels like it's subtly changing the meaning of
> refs/remotes/$remote/*.
>
> Right now, I think of it as a local cache for whatever the remote side
> has. In other words, a way of separating the network-fetching parts of
> the workflow from the local parts. And in that sense, it is perfectly
> reasonable to overwrite with what the other side has, whether they
> rewind or not, because we are just representing what they have. And
> since we keep a reflog, it's not as if the previous state is lost to us
> locally.
>
> But with this change, we are making a policy judgement about what to
> fetch. And as you noticed, it means that users need to start telling git
> about their policy (e.g., mentioning in the refspecs that pu can rewind)
> in order to keep fetch working.
>
> So I consider that a downside, because it's extra work for the user[1].
> What are the upsides?
>
> Is this about preventing workflow-related mistakes where people
> accidentally merge in rebased commits, creating annoying shadow
> histories?
>
> Is it about preventing malicious rewinds from infecting downstream
> repositories?
>
> If the former, then I suspect we need to give more guidance to the user
> than saying "reject, non-fast-forward". What then? Should they "fetch
> -f"? Or "pull --rebase" (actually, how do they even fetch the branch
> now for such a pull --rebase)? Or talk out-of-band to the repo owner?
>
> If the latter, then I think we should be specific about the attack
> scenarios, and what happens with and without this config. And if it's a
> security precaution, what cases doesn't it cover (e.g., initial clone is
> still vulnerable, as is a one-off pull. As are are malicious insertion
> attacks that don't involve rewinding).
>
> And then we can weigh the upsides and the downsides.
>
> -Peff
>
> [1] What I really don't like is that cloning git.git is no longer:
>
> git clone git://git.kernel.org/pub/scm/git/git.git
>
> which is a minimal as it can be, but becomes:
>
> git clone git://git.kernel.org/pub/scm/git/git.git
> cd git
> git config --add remote.origin.fetch +refs/heads/pu:refs/remotes/origin/pu
>
> It's not that my fingers are too tired to do all that typing, but
> rather that the first set of instructions is very easy to explain,
> and the second one is full of magic and head-scratching about why
> git isn't handling this magic itself.
>
> It would be considerably nicer if the server had some way of saying
> "I expect this branch to be rewound". Which has been discussed off
> and on over the years, as I recall.
Hmm, that sounds like the often requested feature to have part of the
config distributed by "clone" as well, possibly after displaying it and
getting user confirmation.
Michael
next prev parent reply other threads:[~2011-09-02 7:42 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-01 18:25 Dropping '+' from fetch = +refs/heads/*:refs/remotes/origin/*? Junio C Hamano
2011-09-01 18:39 ` Junio C Hamano
2011-09-01 19:14 ` Shawn Pearce
2011-09-01 19:20 ` Michael J Gruber
2011-09-01 19:35 ` Matthieu Moy
2011-09-01 19:50 ` Shawn Pearce
2011-09-02 5:55 ` Matthieu Moy
2011-09-02 0:00 ` Jeff King
2011-09-02 7:00 ` Johannes Sixt
2011-09-02 15:26 ` Jeff King
2011-09-02 7:42 ` Michael J Gruber [this message]
2011-09-02 15:29 ` Jeff King
2011-09-02 16:14 ` Junio C Hamano
2011-09-02 16:25 ` Jeff King
2011-09-02 16:47 ` Junio C Hamano
2011-09-05 18:15 ` Shawn Pearce
2011-09-05 20:47 ` Jeff King
2011-09-05 20:53 ` Shawn Pearce
2011-09-05 20:57 ` Jeff King
2011-09-05 21:14 ` Shawn Pearce
2011-09-07 21:20 ` [RFC/PATCH] fetch: bigger forced-update warnings Jeff King
2011-09-07 21:39 ` Shawn Pearce
2011-09-07 21:53 ` Junio C Hamano
2011-09-07 21:57 ` Jeff King
2011-09-07 22:42 ` Thomas Rast
2011-09-06 7:39 ` Dropping '+' from fetch = +refs/heads/*:refs/remotes/origin/*? Matthieu Moy
2011-09-06 7:51 ` Michael J Gruber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E6088F9.5070102@drmicha.warpmail.net \
--to=git@drmicha.warpmail.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.