"fetching arbitrary (maybe dangling) commits may be a security risk"

[ghost]

nixpkgs/pkgs/build-support/fetchgit/default.nix

Line 35 in f0db300

This is because fetching arbitrary (maybe dangling) commits may be a security risk

Can anybody provide a pointer on why allowing dangling commits to be fetched is a security risk? I can't seem to find any details on this. Is the risk because people assume "unreachable" means "deleted"?

[kilianar]

There's a guess in NixOS/nix#4760 (comment). @MarcWeber is the original author of the fetchgit documentation (see edf78fc)

[ghost]

There's a guess in NixOS/nix#4760 (comment).

Hrm, that guess has to do with github's PRs, not with anything in git.

[ghost]

Well, I found a reason why git would want to prohibit this, but it isn't related to security.

If you git push --force origin mybranch:mybranch a branch, the commit that origin/mybranch used to point to is still available in the origin repository -- at least until the next git gc happens.

If people are allowed to fetch commits by their hash even when those commits are unreachable, a force-push like this would put those commits at risk of being garbage collected. But nobody would notice the breakage until (potentially) much later, when a git gc happened, and by then it will be too late to recover the lost commit. But since users are forced to mention a commit from which their desired ref is reachable, they will notice the breakage immediately. Most important of all, they will notice while there is probably still time to rescue the now-gc-able commit.

I think this is the reason.

If nobody else can come up with a security-related explanation I'm going to submit a PR to remove the word "security" in fetchgit/default.nix.