> -----Original Message-----
> From: Junio C Hamano
> Sent: Monday, November 26, 2012 3:38 PM
> "Pyeron, Jason J CTR (US)" writes:
> > In this situation we should assume that the bundle does not have
> > any content which is already in the public repository, that is it
> > has the minimum data to make it pass a git bundle verify from the
> > public repositories point of view. We would then take the bundle
> > and pipe it though the "git-bundle2text" program which would
> > result in a "human" inspectable format as opposed to the packed
> > format[2]. The security reviewer would then see all the
> > information being released and with the 

*** Assumed that the inspector had a copy of the original public repo

> > help of the public
> > repository see how the data changes the repository.

> The bundle file is a thinly wrapped packfile, with extra information
> that tells what objects in the bundle are the tips of histories and
> what objects the repository the bundle gets unbundled has to have.
> So your "git-bundle2text" would likely to involve fetching from the
> bundle and inspecting the resulting history and the working tree
> files.

Yea, I knew the inspection tool was going to get messy.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to