This repository has been archived by the owner on Nov 7, 2024. It is now read-only.
tar: validate imported object set #1
Labels
enhancement
New feature or request
Comments
cgwalters
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Due to the way ostree HTTP pulls work, we only fetch objects referenced transitively from a commit.
But when importing from a tarball, it's much more of a "push" model. A malicious blob could inject objects not referenced by the commit.
We should keep track of the set of objects starting from the first commit object (after validating it) and fatally error if we find something not in that set.
The text was updated successfully, but these errors were encountered: