diff options
| author | Vincent Ambo <mail@tazj.in> | 2021-09-21T10·03+0300 |
|---|---|---|
| committer | Vincent Ambo <mail@tazj.in> | 2021-09-21T11·29+0300 |
| commit | 43b1791ec601732ac31195df96781a848360a9ac (patch) | |
| tree | daae8d638343295d2f1f7da955e556ef4c958864 /third_party/git/Documentation/transfer-data-leaks.txt | |
| parent | 2d8e7dc9d9c38127ec4ebd13aee8e8f586a43318 (diff) | |
chore(3p/git): Unvendor git and track patches instead r/2903
This was vendored a long time ago under the expectation that keeping it in sync with cgit would be easier this way, but it has proven not to be a big issue. On the other hand, a vendored copy of git is an annoying maintenance burden. It is much easier to rebase the single (dottime) patch that we have. This removes the vendored copy of git and instead passes the git source code to cgit via `pkgs.srcOnly`, which includes the applied patch so that cgit can continue rendering dottime. Change-Id: If31f62dea7ce688fd1b9050204e9378019775f2b
Diffstat (limited to 'third_party/git/Documentation/transfer-data-leaks.txt')
| -rw-r--r-- | third_party/git/Documentation/transfer-data-leaks.txt | 30 |
1 files changed, 0 insertions, 30 deletions
diff --git a/third_party/git/Documentation/transfer-data-leaks.txt b/third_party/git/Documentation/transfer-data-leaks.txt deleted file mode 100644 index 914bacc39e0c..000000000000 --- a/third_party/git/Documentation/transfer-data-leaks.txt +++ /dev/null @@ -1,30 +0,0 @@ -SECURITY --------- -The fetch and push protocols are not designed to prevent one side from -stealing data from the other repository that was not intended to be -shared. If you have private data that you need to protect from a malicious -peer, your best option is to store it in another repository. This applies -to both clients and servers. In particular, namespaces on a server are not -effective for read access control; you should only grant read access to a -namespace to clients that you would trust with read access to the entire -repository. - -The known attack vectors are as follows: - -. The victim sends "have" lines advertising the IDs of objects it has that - are not explicitly intended to be shared but can be used to optimize the - transfer if the peer also has them. The attacker chooses an object ID X - to steal and sends a ref to X, but isn't required to send the content of - X because the victim already has it. Now the victim believes that the - attacker has X, and it sends the content of X back to the attacker - later. (This attack is most straightforward for a client to perform on a - server, by creating a ref to X in the namespace the client has access - to and then fetching it. The most likely way for a server to perform it - on a client is to "merge" X into a public branch and hope that the user - does additional work on this branch and pushes it back to the server - without noticing the merge.) - -. As in #1, the attacker chooses an object ID X to steal. The victim sends - an object Y that the attacker already has, and the attacker falsely - claims to have X and not Y, so the victim sends Y as a delta against X. - The delta reveals regions of X that are similar to Y to the attacker. |