From: Jeff King <peff@peff.net>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] disable grafts during fetch/push/bundle
Date: Tue, 4 Mar 2014 19:56:49 -0500 [thread overview]
Message-ID: <20140305005649.GB11509@sigill.intra.peff.net> (raw)
In-Reply-To: <xmqqd2i1k7p9.fsf@gitster.dls.corp.google.com>
On Tue, Mar 04, 2014 at 12:52:18PM -0800, Junio C Hamano wrote:
> > We already make an attempt to do the right thing in several
> > places by turning off read_replace_refs. However, we missed
> > at least one case (during bundle creation), and we do
> > nothing anywhere to handle grafts.
>
> "Doing nothing for grafts" has been pretty much a deliberate
> omission. Because we have no way to transfer how histories are
> grafted together, people cloning from a repository that grafts away
> a commit that records a mistakenly committed sekrit will end up with
> a disjoint history, instead of exposing the sekrit to them, and are
> expected to join the history by recreating grafts (perhaps a README
> of such a project instructs them to do so). That was deemed far
> better than exposing the hidden history, I think.
I see your point, but I would be tempted to say that the person trying
to hide a secret with grafting is simply wrong to do so. You need to
cement that history with a rewrite if you want to share with people.
I do not recall any past discussion on this topic, and searching the
archive only shows people echoing what I said above. Is this something
we've promised to work in the past?
I'm certainly sympathetic to systems failing to a secure default rather
than doing something that the user does not expect. But at the same
time, if using grafts for security isn't something people reasonably
expect, then failing only hurts the non-security cases.
> And "replace tries to do the right thing" was an attempt to rectify
> that misfeature of grafts in that we now do have a way to transfer
> how the history is grafted together, so that project README does not
> have to instruct the fetcher of doing anything special.
Perhaps the right response is "grafts are broken, use git-replace
instead". But then should we think about deprecating grafts? Again, this
patch was spurred by a real user with a graft trying to push and getting
a confusing error message.
> It _might_ be a misfeature, however, for the object connectivity
> layer to expose a part of the history replaced away to the party
> that fetches from such a repository. Ideally, the "right thing"
> ought to be to include history that would be omitted if we did not
> have the replacement (i.e. adding parents the underlying commit does
> not record), while not following the history that replacement wants
> to hide (i.e. excluding the commits replacement commits overlay).
I don't really think it's worth the complexity. It's fairly common
knowledge (or at least I think so) that replace refs are a _view_ onto
the history. When you share the history graph, you share the true
objects. You can _also_ share your views in replace/refs, but it is up
to the client to fetch them. If you want to hide things, then you need
to rewrite the true objects, end of story.
I dunno. Maybe there are people who have different expectations.
-Peff
next prev parent reply other threads:[~2014-03-05 0:56 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-04 17:48 [PATCH] disable grafts during fetch/push/bundle Jeff King
2014-03-04 20:52 ` Junio C Hamano
2014-03-05 0:56 ` Jeff King [this message]
2014-03-05 18:49 ` Junio C Hamano
2014-03-05 18:52 ` Jeff King
2014-03-05 19:18 ` Junio C Hamano
2014-03-05 19:28 ` Jeff King
2014-03-05 20:24 ` Junio C Hamano
2014-03-06 8:42 ` Michael Haggerty
2014-03-06 9:17 ` Christian Couder
2014-03-06 15:56 ` Jeff King
2014-03-06 16:41 ` Michael Haggerty
2014-03-06 17:48 ` Jeff King
2014-03-06 17:49 ` [RFC/PATCH 1/4] replace: refactor command-mode determination Jeff King
2014-03-06 17:49 ` [RFC/PATCH 2/4] replace: use OPT_CMDMODE to handle modes Jeff King
[not found] ` <CAP8UFD2c0UKT8Uyw4j9SzKGx2oLn=o7N-dtvQHPaaBtLT6ggcw@mail.gmail.com>
2014-03-06 18:48 ` Jeff King
2014-03-06 17:49 ` [RFC/PATCH 3/4] replace: factor object resolution out of replace_object Jeff King
2014-03-06 17:51 ` [RFC/PATCH 4/4] replace: add --edit option Jeff King
2014-03-07 1:57 ` Eric Sunshine
2014-03-07 17:17 ` Jeff King
2014-03-06 19:00 ` [PATCH] disable grafts during fetch/push/bundle Junio C Hamano
2014-03-06 19:07 ` Jeff King
2014-03-06 23:01 ` Philip Oakley
2014-03-06 23:29 ` Michael Haggerty
2014-03-06 23:39 ` Junio C Hamano
2014-03-07 7:08 ` Christian Couder
2014-03-07 17:19 ` Jeff King
2014-03-19 22:39 ` Junio C Hamano
2014-03-21 0:49 ` Jeff King
2014-03-06 23:48 ` Philip Oakley
2014-03-04 23:36 ` Eric Sunshine
2014-03-05 0:37 ` Jeff King
2014-03-05 1:00 ` Eric Sunshine
2014-03-05 1:05 ` Jeff King
2014-03-05 1:07 ` Eric Sunshine
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140305005649.GB11509@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).