From: Junio C Hamano <gitster@pobox.com>
To: Patrick Steinhardt <ps@pks.im>
Cc: git@vger.kernel.org, Jeff King <peff@peff.net>,
Taylor Blau <me@ttaylorr.com>
Subject: Re: [PATCH] object-file: fix race in object collision check
Date: Mon, 30 Dec 2024 06:54:24 -0800 [thread overview]
Message-ID: <xmqqseq5z0f3.fsf@gitster.g> (raw)
In-Reply-To: <Z3KzHJagr_3Fkz67@pks.im> (Patrick Steinhardt's message of "Mon, 30 Dec 2024 15:50:04 +0100")
Patrick Steinhardt <ps@pks.im> writes:
> On Mon, Dec 30, 2024 at 06:40:53AM -0800, Junio C Hamano wrote:
>> Patrick Steinhardt <ps@pks.im> writes:
>>
>> > By definition, two files cannot collide with each other when one of them
>> > has been removed. We can thus trivially fix the issue by ignoring ENOENT
>> > when opening either of the files we're about to check for collision.
>>
>> Thanks for digging it down to the cause.
>>
>> It is more like even if these two files collided (i.e. have the same
>> name based on what the hash function says, with different contents),
>> when one of them has been removed, we have no way to check if the
>> collision is benign, and even if it were not, we cannot do anything
>> about it, isn't it?
>
> Depends on what "benign" means in this context, I guess. We can only
> assert the most trivial case of it being "benign", namely that we have
> computed a packfile that actually is the exact same. This is also going
> to be the most common case, as everything else would depend on a
> cryptographic collision of the packfile contents. And in that case... we
> cannot do anything about it, yes.
Yes, the whole point of this collision check is to notice the rare
case where we are under attack with cryptographic collision, so
"most of the time it is OK so not being able to check is fine" is
not an impression we want to give readers.
> The idea would be to only handle ENOENT for the second case. But in the
> end I don't think it's worth the complexity because `check_collision()`
> is used before rename(3p)ing the former into place, and that function
> would already notice ENOENT anyway. So we would eventually just die the
> same.
Thanks for thinking it through. Queued.
next prev parent reply other threads:[~2024-12-30 14:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-30 10:32 [PATCH] object-file: fix race in object collision check Patrick Steinhardt
2024-12-30 14:40 ` Junio C Hamano
2024-12-30 14:50 ` Patrick Steinhardt
2024-12-30 14:54 ` Junio C Hamano [this message]
2024-12-31 1:42 ` Jeff King
2025-01-01 16:50 ` Junio C Hamano
2025-01-01 18:19 ` Jeff King
2025-01-03 7:16 ` Patrick Steinhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqseq5z0f3.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=me@ttaylorr.com \
--cc=peff@peff.net \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).