Yeah, I was a bit supprised to learn this wasn't on by default, and I can't imagine this is common (or expected), since I'd like to think I know a fair amount about Git.
Thanks for bring it upstream!
This seems like a big deal for Debian, since a large number of our
repos[1] still use an insecure transport, which means it's *trivial* to
actively tamper with the source that we see post-clone, without even giving
them a split view of the repo (and showing a problem on push)!
It's vital we turn on fsck to true for transfer.fsckobjects on developer
~/.gitconfigs while we wait back about this.
Thanks for all your work!
Paul
[1]: Currently 28,932 source packages; as seen on
https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html
signature.asc
Description: PGP signature

