Re: [RFC 0/4] Shallow clones with on-demand fetch
- Date: Mon, 06 Mar 2017 11:18:30 -0800
- From: Junio C Hamano <gitster@xxxxxxxxx>
- Subject: Re: [RFC 0/4] Shallow clones with on-demand fetch
Mark Thomas <markbt@xxxxxxxxxx> writes:
> This is a proof-of-concept, so it is in no way complete. It contains a
> few hacks to make it work, but these can be ironed out with a bit more
> work. What I have so far is sufficient to try out the idea.
Two things that immediately come to mind (which may or may not be
real issues) are
(1) What (if any) security model you have in mind.
From object-confidentiality's point of view, this needs to be
enabled only on a host that allows
uploadpack.allowAnySHA1InWant but even riskier.
From DoS point of view, you can make a short 40-byte request to
cause the other side emit megabytes of stuff. I do not think
it is a new problem (anybody can repeatedly request a clone of
large stuff), but there may be new ramifications.
(2) If the interface to ask just one object kills the whole idea
due to roundtrip latency.
You may want to be able to say "I want all objects reachable
from this tree; please give me a packfile of needed objects
assuming that I have all objects reachable from this other tree
(or these other trees)".