Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #247523
Closed
Open
Issue created Sep 10, 2020 by Bob Van Landuyt@reprazentMaintainer

Deduplicated objects from an internal repository are publicly accessible by name through a public project

In #33318 (closed) we made it possible to deduplicate internal projects. A consequence of this is that in the following scenario it is possible:

  1. Fork public project Project A -> Project B, currently Both projects are public, the object pool is created
  2. Change the visibility level on Project A to internal, the fork network is broken, but Project B remains part of the maintained object pool
  3. Create a commit in Project A, and take note of the hash.
  4. Trigger housekeeping on Project A, this will cause objects to be fetched into the object pool
  5. In a clone of Project B as an Anonymous user, perform git fetch origin <commit sha>, this succeeds because it is available in the object pool

The refs aren't advertised, so users need to know the sha of objects to be able to fetch them through the public project.

Qeustion:

If we are okay with internal objects being publicly accessible in this way, could we allow deduplication for private projects?

Edited Sep 10, 2020 by Bob Van Landuyt
Assignee
Assign to
Time tracking