On Mon, 11 Feb 2008, Martin Koegler wrote:

quoted text
> On Mon, Feb 11, 2008 at 03:41:06PM -0500, Nicolas Pitre wrote:
> > On Mon, 11 Feb 2008, Martin Koegler wrote:
> > > Please remember, that --strict is used for pushing data.
> > 
> > And what exactly does it provide in terms of safetiness that index-pack 
> > doesn't already do?  I'm not sure I fully understood the goal here.
> 
> The patch is about verifing the content of objects. My intented use is
> for running a (restricted) server, which allows pushing via git-daemon
> (or git-shell) from (untrusted) users. It can be also used to catch
> corrupt objects, before they leave your repository, but this is for me
> only a side effect.
> 
> receive-pack accepts any crap (anything, which you can pipe into
> git-hash-object with -t parameter of your choice), if the pack file
> format is correct.
> 
> But lots of code in git assums that the object content is welformd.
> 
> Having such objects somewhere reachable in your repository will
> disturb cloning (In the best case you get a error messages, in the
> worst a child process of upload-pack segfaults), gitweb, ... . To fix
> it, you will need a person with native access to the repository in the
> worst case. 

OK that makes sense.

I think this is a good idea to always have some sanity checks on any 
incoming objects so to make sure they're well formed and valid before 
giving them a SHA1 value, and bail out as soon as any error is found.  
From my understanding that's what your patch is doing, right? (sorry I 
can't find them in my mailbox anymore).  This can be done as objects are 
coming in just fine and requires no extra memory, and I would say this 
should be done unconditionally all the time.  After all, the Git 
coherency model is based on the SHA1 checksuming, and therefore it is a 
good idea to never validate any malformed objects with a SHA1.  So I'm 
all in favor of such validation always performed in index-pack and 
unpack-objects.

As to making sure those objects are well connected... well this is a 
technically different issue entirely, and I wonder if a special mode to 
fsck might not be a better solution.  For example, fsck could be made to 
validate object connectivity, starting from the new ref(s), and stopping 
object walking as soon as a reference to an object not included in the 
newly received pack is encountered.  This could be run from some hook to 
decide whether or not to update the new refs, and to delete the pack 
otherwise.


Nicolas
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html