From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
git@vger.kernel.org, "W. Michael Petullo" <mike@flyn.org>
Subject: Re: Git clone reads safe.directory differently?
Date: Mon, 05 Aug 2024 08:49:21 -0700 [thread overview]
Message-ID: <xmqqzfpr3r7i.fsf@gitster.g> (raw)
In-Reply-To: <20240805094709.GA632664@coredump.intra.peff.net> (Jeff King's message of "Mon, 5 Aug 2024 05:47:09 -0400")
Jeff King <peff@peff.net> writes:
> I suspect it could be made to give similar guarantees, but I don't think
> anybody has ever made a conscious effort.
I also recall that we thought upload-pack was safe because it does
nothing more than what it was asked to do, until we realized that in
a lazy clone it would slurp what it is missing from its promisors,
at which point it does more than just "serve things from here".
What worries me more is the fact that any such evaluation can only
be about the current state. A careless change to say pack-objects
that allows innocent looking customization to take place _could_
turn out to be triggerable by the repository when upload-pack is
run, and the "innocent looking" customization may be more generic
than necessary and can be used creatively to cause damage. "Don't
allow any customizations to 'rev-list' because its internal is
shared with 'pack-objects' that in turn is run from 'upload-pack'"
would not be an answer.
It is unclear to me how to make sure such an evaluation, that was
done once in the past, will stay valid. That is something we need
to come up with a viable approach and document, too.
Thanks.
next prev parent reply other threads:[~2024-08-05 15:49 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-27 16:14 Git clone reads safe.directory differently? W. Michael Petullo
2024-07-27 21:58 ` Jeff King
2024-07-28 15:27 ` W. Michael Petullo
2024-07-28 22:48 ` Jeff King
2024-07-30 11:37 ` W. Michael Petullo
2024-07-30 22:28 ` brian m. carlson
2024-07-30 22:49 ` Junio C Hamano
2024-07-30 22:55 ` Junio C Hamano
2024-07-30 23:05 ` brian m. carlson
2024-07-31 7:28 ` Jeff King
2024-07-31 16:23 ` Junio C Hamano
2024-07-31 22:08 ` Junio C Hamano
2024-08-01 6:14 ` Jeff King
2024-08-01 14:59 ` Junio C Hamano
2024-08-01 21:26 ` brian m. carlson
2024-08-01 21:52 ` Junio C Hamano
2024-08-05 9:47 ` Jeff King
2024-08-05 15:34 ` W. Michael Petullo
2024-08-05 15:49 ` Junio C Hamano [this message]
2024-08-01 6:08 ` Jeff King
2024-07-31 7:19 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqzfpr3r7i.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=mike@flyn.org \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).