Russ Allbery <r...@debian.org> writes:
> Or, of course, find a way to disable the author/committer checks, which I
> suspect are most of the failures, and keep the object hash checks.
Apologies, I should have done a bit more research before sending my
message. Adding the following to my .gitconfig allows me to clone the
coreutils repository:
[fetch "fsck"]
missingSpaceBeforeDate = ignore
So it would be possible for us to develop a list of problems like this to
ignore for the purposes of tag2upload if we believed they were
unimportant.
I'm a little bit dubious about this. If I were the dgit-repos archive
maintainer, I would want to enforce an invariant that all repositories
passed git fsck because it feels like an annoying slippery slope to open.
But it would be possible to go this direction.
> The alternative would be to add some sort of support for fsck.skipList,
> but that seems like annoying and arguably unnecessary complexity that
> potentially reintroduces the same security problem via a different
> route.
I see that fsck.skipList explicitly says that corrupt objects cannot be
skipped, so while the rest of this paragraph continues to apply, I am now
less concerned about this introducing security issues.
--
Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
