| ▲ | Aloisius 4 days ago | |
> The git client tells the server what commits it doesn't have, so this is simple to check. That won't work. The first thing the client does is ask the server for list of references with their oids (ls-refs). It only asks for oids and reports what oids it has after the server responds. You'd need another way to identify that the client asking for references was the same one you vended the tampered source tree to, otherwise, you'd need to respond with the refs' real oids and the fetch would fail since there's no way to get from the oid the user has to the real one. | ||
| ▲ | cyberpunk 4 days ago | parent [-] | |
Or use signed commits? | ||