diff options
author | 2014-01-06 14:19:42 -0400 | |
---|---|---|
committer | 2014-01-06 14:19:42 -0400 | |
commit | ef9427c011b528aa7c3da628b6131b2e3aeed163 (patch) | |
tree | 73198a2d3bca85bd0bf8efbdd24e3e72516838ef /doc/todo/git_annex_get___60__file__62___should_verify_file_hash.mdwn | |
parent | 498a98dc5a811fd2a9854c818c7f536d9a8a437d (diff) |
move wishlist item out out of bug list
Diffstat (limited to 'doc/todo/git_annex_get___60__file__62___should_verify_file_hash.mdwn')
-rw-r--r-- | doc/todo/git_annex_get___60__file__62___should_verify_file_hash.mdwn | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/doc/todo/git_annex_get___60__file__62___should_verify_file_hash.mdwn b/doc/todo/git_annex_get___60__file__62___should_verify_file_hash.mdwn new file mode 100644 index 000000000..f680729ac --- /dev/null +++ b/doc/todo/git_annex_get___60__file__62___should_verify_file_hash.mdwn @@ -0,0 +1,32 @@ +### Please describe the problem. +git annex get fileName- should perform a hash check on the file content before adding to the local repository + + +### What steps will reproduce the problem? +Two scenarios: +1) Malicious user and owner of repository being pulled from can edit his/her local .git/annex/objects directory +to alter the file content. For src code, this could be to insert a bug, insert a backdoor, or for example +to replace an image file artifact for a website, with a pornographic image. +The user pulling the file content with "git annex get fileName" might not be aware of the file contents +until they actually examine the file or perform an fsck or commit locally. +In the meantime a kiddy porn image could be sitting in their repository or a src code backdoor can get incorporated and deployed etc. +2) a file could also simply get corrupted during download. An inherent hash check during the 'annex get' would +point out the problem immediately. +To reproduce: create repoNum1, and clone it to create repoNum2. manual edit/replace content in repoNum1/.git/annex/objects/... +then perform a 'git annex get <fileName>' from repoNum2 on the file that has been manipulated + + +### What version of git-annex are you using? On what operating system? +3.2012112ubuntu2 on running linux mint + + +### Please provide any additional information below. + +Aside: Thanks Joey - this is fantastic work you are doing. You have really improved git. The ability to checkout +an entire tree - but selectively get only the content actually needed is a real killer feature. +Kudos and again many many thanks +M. + + +# End of transcript or log. +"""]] |