Web lists-archives.com

Re: [RFC 0/4] Shallow clones with on-demand fetch

Mark Thomas <markbt@xxxxxxxxxx> writes:

> This is a proof-of-concept, so it is in no way complete.  It contains a
> few hacks to make it work, but these can be ironed out with a bit more
> work.  What I have so far is sufficient to try out the idea.

Two things that immediately come to mind (which may or may not be
real issues) are 

 (1) What (if any) security model you have in mind.

     From object-confidentiality's point of view, this needs to be
     enabled only on a host that allows
     uploadpack.allowAnySHA1InWant but even riskier.

     From DoS point of view, you can make a short 40-byte request to
     cause the other side emit megabytes of stuff.  I do not think
     it is a new problem (anybody can repeatedly request a clone of
     large stuff), but there may be new ramifications.

 (2) If the interface to ask just one object kills the whole idea
     due to roundtrip latency.

     You may want to be able to say "I want all objects reachable
     from this tree; please give me a packfile of needed objects
     assuming that I have all objects reachable from this other tree
     (or these other trees)".