On Thu 2016-02-04 00:04:19 -0500, Mike Hommey wrote:
> Git is, in fact, safe by default. See
> https://news.ycombinator.com/item?id=11032094

Thanks for the followup, Mike.

That post says:

>>  So, it turns out that there's nothing to see under the sun. When
>>  pulling, what you get is a pack, and not its index. The index is
>>  created locally after retrieval. Packs don't contain the SHA-1s, so the
>>  process of creating the pack index does, in fact, compute the
>>  SHA-1s. So if a pack is altered somehow to contain objects with a
>>  different SHA-1 than the advertised one as in the parent comment, what
>>  happens is that the connectivity check that happens after all that will
>>  complain about the missing commits, trees or blobs.
>> 
>>  In the altered repository in the parent, actually doing a commit and
>>  then cloning (non-local, because local clones cheat) will yield an
>>  error about the missing 78981922613b2afb6025042ff6bd878ac1994e85.

I'm not well-versed in the git internals or the git network protocol.
When pulling or fetching cloning or doing "git remote update" or any
other form of transfer, does git *always* pull a pack and then do a
connectivity check, or are there circumstances/transport options
available to a malicious server (or a malicious network in the case of
cleartext git:// or http:// access) that would transmit the object
directly, or would omit the connectivity check?

What does "local clones cheat" mean?

     --dkg

Reply via email to