diff options
author | Mike <Mike@web> | 2013-12-14 14:28:28 +0000 |
---|---|---|
committer | admin <admin@branchable.com> | 2013-12-14 14:28:28 +0000 |
commit | 439248d3ebb0f71d5b5568177be90176c6ba50f1 (patch) | |
tree | c5b269ed91e89c08e38cde1d65dca325aaa3cb34 | |
parent | e970c6585f7dde2e49e29063cbcf402eac80d221 (diff) |
-rw-r--r-- | doc/bugs/git_annex_get___60__file__62___should_verify_file_hash.mdwn | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/doc/bugs/git_annex_get___60__file__62___should_verify_file_hash.mdwn b/doc/bugs/git_annex_get___60__file__62___should_verify_file_hash.mdwn new file mode 100644 index 000000000..f680729ac --- /dev/null +++ b/doc/bugs/git_annex_get___60__file__62___should_verify_file_hash.mdwn @@ -0,0 +1,32 @@ +### Please describe the problem. +git annex get fileName- should perform a hash check on the file content before adding to the local repository + + +### What steps will reproduce the problem? +Two scenarios: +1) Malicious user and owner of repository being pulled from can edit his/her local .git/annex/objects directory +to alter the file content. For src code, this could be to insert a bug, insert a backdoor, or for example +to replace an image file artifact for a website, with a pornographic image. +The user pulling the file content with "git annex get fileName" might not be aware of the file contents +until they actually examine the file or perform an fsck or commit locally. +In the meantime a kiddy porn image could be sitting in their repository or a src code backdoor can get incorporated and deployed etc. +2) a file could also simply get corrupted during download. An inherent hash check during the 'annex get' would +point out the problem immediately. +To reproduce: create repoNum1, and clone it to create repoNum2. manual edit/replace content in repoNum1/.git/annex/objects/... +then perform a 'git annex get <fileName>' from repoNum2 on the file that has been manipulated + + +### What version of git-annex are you using? On what operating system? +3.2012112ubuntu2 on running linux mint + + +### Please provide any additional information below. + +Aside: Thanks Joey - this is fantastic work you are doing. You have really improved git. The ability to checkout +an entire tree - but selectively get only the content actually needed is a real killer feature. +Kudos and again many many thanks +M. + + +# End of transcript or log. +"""]] |