builtin/receive-pack: add option to skip connectivity check

Git fork

During git-receive-pack(1), connectivity of the object graph is
validated to ensure that the received packfile does not leave the
repository in a broken state. This is done via git-rev-list(1) and
walking the objects, which can be expensive for large repositories.

Generally, this check is critical to avoid an incomplete received
packfile from corrupting a repository. Server operators may have
additional knowledge though around exactly how Git is being used on the
server-side which can be used to facilitate more efficient connectivity
computation of incoming objects.

For example, if it can be ensured that all objects in a repository are
connected and do not depend on any missing objects, the connectivity of
newly written objects can be checked by walking the object graph
containing only the new objects from the updated tips and identifying
the missing objects which represent the boundary between the new objects
and the repository. These boundary objects can be checked in the
canonical repository to ensure the new objects connect as expected and
thus avoid walking the rest of the object graph.

Git itself cannot make the guarantees required for such an optimization
as it is possible for a repository to contain an unreachable object that
references a missing object without the repository being considered
corrupt.

Introduce the --skip-connectivity-check option for git-receive-pack(1)
which bypasses this connectivity check to give more control to the
server-side. Note that without proper server-side validation of newly
received objects handled outside of Git, usage of this option risks
corrupting a repository.

Signed-off-by: Justin Tobler <jltobler@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

authored by

Justin Tobler and committed by

Junio C Hamano 9 months ago 68cb0b52 95262afe

+56 -18

3 changed files

expand all

unified split

Documentation

git-receive-pack.adoc

builtin

receive-pack.c

t5410-receive-pack.sh

+12

Documentation/git-receive-pack.adoc

··· 46 46 `$GIT_URL/info/refs?service=git-receive-pack` requests. See 47 47 `--http-backend-info-refs` in linkgit:git-upload-pack[1]. 48 48 49 + --skip-connectivity-check:: 50 + Bypasses the connectivity checks that validate the existence of all 51 + objects in the transitive closure of reachable objects. This option is 52 + intended for server operators that want to implement their own object 53 + connectivity validation outside of Git. This is useful in such cases 54 + where the server-side knows additional information about how Git is 55 + being used and thus can rely on certain guarantees to more efficiently 56 + compute object connectivity that Git itself cannot make. Usage of this 57 + option without a reliable external mechanism to ensure full reachable 58 + object connectivity risks corrupting the repository and should not be 59 + used in the general case. 60 + 49 61 PRE-RECEIVE HOOK 50 62 ---------------- 51 63 Before any ref is updated, if $GIT_DIR/hooks/pre-receive file exists

+22 -18

builtin/receive-pack.c

··· 81 81 static int auto_update_server_info; 82 82 static int auto_gc = 1; 83 83 static int reject_thin; 84 + static int skip_connectivity_check; 84 85 static int stateless_rpc; 85 86 static const char *service_dir; 86 87 static const char *head_name; ··· 1938 1939 return; 1939 1940 } 1940 1941 1941 - if (use_sideband) { 1942 - memset(&muxer, 0, sizeof(muxer)); 1943 - muxer.proc = copy_to_sideband; 1944 - muxer.in = -1; 1945 - if (!start_async(&muxer)) 1946 - err_fd = muxer.in; 1947 - /* ...else, continue without relaying sideband */ 1948 - } 1942 + if (!skip_connectivity_check) { 1943 + if (use_sideband) { 1944 + memset(&muxer, 0, sizeof(muxer)); 1945 + muxer.proc = copy_to_sideband; 1946 + muxer.in = -1; 1947 + if (!start_async(&muxer)) 1948 + err_fd = muxer.in; 1949 + /* ...else, continue without relaying sideband */ 1950 + } 1949 1951 1950 - data.cmds = commands; 1951 - data.si = si; 1952 - opt.err_fd = err_fd; 1953 - opt.progress = err_fd && !quiet; 1954 - opt.env = tmp_objdir_env(tmp_objdir); 1955 - opt.exclude_hidden_refs_section = "receive"; 1952 + data.cmds = commands; 1953 + data.si = si; 1954 + opt.err_fd = err_fd; 1955 + opt.progress = err_fd && !quiet; 1956 + opt.env = tmp_objdir_env(tmp_objdir); 1957 + opt.exclude_hidden_refs_section = "receive"; 1956 1958 1957 - if (check_connected(iterate_receive_command_list, &data, &opt)) 1958 - set_connectivity_errors(commands, si); 1959 + if (check_connected(iterate_receive_command_list, &data, &opt)) 1960 + set_connectivity_errors(commands, si); 1959 1961 1960 - if (use_sideband) 1961 - finish_async(&muxer); 1962 + if (use_sideband) 1963 + finish_async(&muxer); 1964 + } 1962 1965 1963 1966 reject_updates_to_hidden(commands); 1964 1967 ··· 2519 2522 2520 2523 struct option options[] = { 2521 2524 OPT__QUIET(&quiet, N_("quiet")), 2525 + OPT_HIDDEN_BOOL(0, "skip-connectivity-check", &skip_connectivity_check, NULL), 2522 2526 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL), 2523 2527 OPT_HIDDEN_BOOL(0, "http-backend-info-refs", &advertise_refs, NULL), 2524 2528 OPT_ALIAS(0, "advertise-refs", "http-backend-info-refs"),

+22

t/t5410-receive-pack.sh

··· 62 62 test_must_fail git -C remote.git cat-file -e $(git -C repo rev-parse HEAD) 63 63 ' 64 64 65 + test_expect_success 'receive-pack missing objects bypasses connectivity check' ' 66 + test_when_finished rm -rf repo remote.git setup.git && 67 + 68 + git init repo && 69 + git -C repo commit --allow-empty -m 1 && 70 + git clone --bare repo setup.git && 71 + git -C repo commit --allow-empty -m 2 && 72 + 73 + # Capture git-send-pack(1) output sent to git-receive-pack(1). 74 + git -C repo send-pack ../setup.git --all \ 75 + --receive-pack="tee ${SQ}$(pwd)/out${SQ} | git-receive-pack" && 76 + 77 + # Replay captured git-send-pack(1) output on new empty repository. 78 + git init --bare remote.git && 79 + git receive-pack --skip-connectivity-check remote.git <out >actual 2>err && 80 + 81 + test_grep ! "missing necessary objects" actual && 82 + test_must_be_empty err && 83 + git -C remote.git cat-file -e $(git -C repo rev-parse HEAD) && 84 + test_must_fail git -C remote.git rev-list $(git -C repo rev-parse HEAD) 85 + ' 86 + 65 87 test_done