On Thu 2016-02-04 00:04:19 -0500, Mike Hommey wrote:
> Git is, in fact, safe by default. See
> https://news.ycombinator.com/item?id=11032094
Thanks for the followup, Mike.
That post says:
>> So, it turns out that there's nothing to see under the sun. When
>> pulling, what you get is a pack, and not its index. The index is
>> created locally after retrieval. Packs don't contain the SHA-1s, so the
>> process of creating the pack index does, in fact, compute the
>> SHA-1s. So if a pack is altered somehow to contain objects with a
>> different SHA-1 than the advertised one as in the parent comment, what
>> happens is that the connectivity check that happens after all that will
>> complain about the missing commits, trees or blobs.
>>
>> In the altered repository in the parent, actually doing a commit and
>> then cloning (non-local, because local clones cheat) will yield an
>> error about the missing 78981922613b2afb6025042ff6bd878ac1994e85.
I'm not well-versed in the git internals or the git network protocol.
When pulling or fetching cloning or doing "git remote update" or any
other form of transfer, does git *always* pull a pack and then do a
connectivity check, or are there circumstances/transport options
available to a malicious server (or a malicious network in the case of
cleartext git:// or http:// access) that would transmit the object
directly, or would omit the connectivity check?
What does "local clones cheat" mean?
--dkg