I may need to be nudged in a better direction, but please try to understand my 
intentions.

I am facing a situation where I would like to use git bundle but at the same 
time inspect the contents to prevent a spillage[1].

Given we have a public repository which was cloned on to a secret development 
repository. Now the developers do some work which should not be sensitive in 
any way and commit and push it to the secret repository.

Now they want to release it out to the public. The current process is to review 
the text files to ensure that there is no "secret" sauce in there and then 
approve its release. This current process ignores the change tracking and all 
non-content is lost.


In this situation we should assume that the bundle does not have any content 
which is already in the public repository, that is it has the minimum data to 
make it pass a git bundle verify from the public repositories point of view. We 
would then take the bundle and pipe it though the "git-bundle2text" program 
which would result in a "human" inspectable format as opposed to the packed 
format[2]. The security reviewer would then see all the information being 
released and with the help of the public repository see how the data changes 
the repository.

Am I barking up the right tree?


1: http://en.wikipedia.org/wiki/Spillage_of_Classified_Information
2: http://git-scm.com/book/ch9-4.html

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to