On Fri, Jan 25, 2013 at 12:45 AM, Junio C Hamano <gits...@pobox.com> wrote:
>> How about this way instead: we keep track of where objects come from
>> so we can verify object source when we create or update something
>> that contains SHA-1.
> The overall approach taken by this series may be worth considering, but
> I do not think the check implemented here is correct.
> An object may be found in an alternate odb but we may also have our
> own copy of the same object. You need to prove that a suspicious
> object is visible to us *ONLY* through add_submodule_odb().
The way alt odbs are linked (new odbs area always at the end), if we
have the same copy, their copy will never be read (we check out alt
odbs from head to tail). So those duplicate suspicious objects are
actually invisible to us.
> Once you do add_submodule_odb() to contaminate our object pool, you
> make everything a suspicious object that needs to be checked; that
> is the worst part of the story.
And because we never really touch their alt copy, the returned alt
source is "ours", trusted and not checked. The check should only occur
on objects that we do not have.
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html