The idea behind this series is, after add_submodule_odb, odb may have
new temporary objects that only appear after the call. These temporary
objects may lead to repo corruption (e.g. some new objects are created
and point to these temporary objects). This series attempts to catch
those cases. It would make it safer to dig deeper into submodule's odb,
e.g. to implement unified git-diff.

Previous approach [1] is record the odb source, then check if the
source is from submodule's odb. But that means we rely on the
lookup order in sha1_file.c. This approach instead allows the caller
to select what odb sources it wants to look up from.

The checks are also less drastic than before. Checks are now done at
higher level, e.g. commit_tree(), instead of at write_sha1_file,
because we do allow to write objects that point to nowhere.

Another new thing from previous round is I completely forbid the use
of add_submodule_odb in security sensitive commands like index-pack or
rev-list. We could loosen up later if we need to.

For fun, I set object_database_contaminated to 1 by default and ran
the test suite. It passed :)


Nguyễn Thái Ngọc Duy (8):
  sha1_file: allow to select pack origin when looking up an object
  sha1_file: keep track of alternate source of objects
  sha1_file: mark alt object database from add_submodule_odb()
  sha1_file: new object source for submodule's alt object database
  commit.c: refuse to write commits referring to external objects
  cache-tree.c: refuse to write trees referring to external objects
  mktag: refuse to write tags referring to external objects
  sha1_file: do write objects even if found in ODB_EXTALT database

 builtin/index-pack.c |   2 +-
 builtin/mktag.c      |   5 +-
 cache-tree.c         |   3 +-
 cache.h              |  38 +++++++--
 commit.c             |   9 ++
 environment.c        |   2 +
 fast-import.c        |   4 +-
 git.c                |  10 ++-
 pack-check.c         |   2 +-
 sha1_file.c          | 236 ++++++++++++++++++++++++++++++++++++---------------
 streaming.c          |   4 +-
 submodule.c          |   5 +-
 12 files changed, 233 insertions(+), 87 deletions(-)


To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to
More majordomo info at

Reply via email to