From: Junio C Hamano <junkio@cox.net>
To: ebiederm@xmission.com (Eric W. Biederman)
Cc: <git@vger.kernel.org>
Subject: Re: [RFC][PATCH] Allow transfer of any valid sha1
Date: Wed, 24 May 2006 02:07:13 -0700 [thread overview]
Message-ID: <7vejyjpz9a.fsf@assigned-by-dhcp.cox.net> (raw)
In-Reply-To: <m164jvj1x3.fsf@ebiederm.dsl.xmission.com> (Eric W. Biederman's message of "Wed, 24 May 2006 01:51:36 -0600")
ebiederm@xmission.com (Eric W. Biederman) writes:
> Can we fix the check in upload-pack.c something like my
> patch below does? Are there any security implications for
> doing that?
> Could we just make the final check before dying if (!o) ?
The primary implication is about correctness, so I am reluctant
to break it without a careful alternative check in place.
The issue is that having a single object in the repository does
not guarantee that you have everything reachable from it, and we
need that guarantee. Reachability from the refs is what
guarantees that.
We are careful to update the ref at the very end of the transfer
(fetch/clone or push); so if an object is reachable from a ref,
then all the objects reachable from that object are available in
the repository.
Imagine http commit walker started fetching tip of upstream into
your repository and you interrupted the transfer. Objects near
the tip of the upstream history are available after such an
interrupted transfer. But a bit older history (but still later
than what we had before we started the transfer) are not.
We do not update the ref with the downloaded tip object, so that
we would not break the guarantee. This guarantee is needed for
feeding clients from the repository later. If you tell your
clients, after such an interrupted transfer, that you are
willing to serve the objects near the (new) tip, the clients may
rightfully request objects that are reachable from these
objects, some of them you do _not_ have!
So this "on demand SHA1" stuff needs to be solved by checking if
the given object is reachable from our refs in upload-pack,
instead of the current check to see if the given object is
pointed by our refs. When upload-pack can prove that the object
is reachable from one of the refs, it is OK to use it; otherwise
you should not.
Now, proving that a given SHA1 is the name of an object that
exists in the repository is cheap (has_sha1_file()), but proving
that the object is reachable from some of our refs can become
quite expensive. That gives this issue a security implication
as well -- you can easily DoS the git-daemon that way, for
example.
next prev parent reply other threads:[~2006-05-24 9:07 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-24 7:51 [RFC][PATCH] Allow transfer of any valid sha1 Eric W. Biederman
2006-05-24 9:07 ` Junio C Hamano [this message]
2006-05-25 5:09 ` Eric W. Biederman
2006-05-25 6:36 ` Junio C Hamano
2006-05-25 17:00 ` Eric W. Biederman
2006-05-25 17:28 ` Linus Torvalds
2006-05-25 17:59 ` Eric W. Biederman
2006-05-25 18:28 ` Junio C Hamano
2006-05-25 18:36 ` Linus Torvalds
2006-05-25 20:30 ` Eric W. Biederman
2006-05-25 20:53 ` Junio C Hamano
2006-05-26 8:27 ` Eric W. Biederman
2006-05-26 10:04 ` Junio C Hamano
2006-05-26 17:32 ` Eric W. Biederman
2006-05-25 20:50 ` Eric W. Biederman
2006-05-25 21:04 ` Junio C Hamano
2006-05-26 8:32 ` Eric W. Biederman
2006-06-08 9:33 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7vejyjpz9a.fsf@assigned-by-dhcp.cox.net \
--to=junkio@cox.net \
--cc=ebiederm@xmission.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox