On Thu, Feb 22, 2018 at 02:42:35PM -0800, Jonathan Nieder wrote:
> > I couldn't quite get it to work, but I think it's because I'm doing
> > something wrong with the submodules. But I also think this attack would
> > _have_ to be done over ssh, because on a local system the submodule
> > clone would a hard-link rather than a real fetch.
> What happens if the submodule URL starts with file://?
Ah, that would do it. Or I guess any follow-up fetch.
I'm still having trouble convincing submodules to fetch _just_ the
desired sha1, though. It always just fetches everything. I know there's
a way that this kicks in (that's why we have things like
allowReachableSHA1InWant), but I'm not sufficiently well-versed in
submodules to know how to trigger it.