Deduplicated objects from an internal repository are publicly accessible by name through a public project
In #33318 (closed) we made it possible to deduplicate internal projects. A consequence of this is that in the following scenario it is possible:
- Fork public project
Project A
->Project B
, currently Both projects are public, the object pool is created - Change the visibility level on
Project A
to internal, the fork network is broken, butProject B
remains part of the maintained object pool - Create a commit in
Project A
, and take note of the hash. - Trigger housekeeping on
Project A
, this will cause objects to be fetched into the object pool - In a clone of
Project B
as an Anonymous user, performgit fetch origin <commit sha>
, this succeeds because it is available in the object pool
The refs aren't advertised, so users need to know the sha of objects to be able to fetch them through the public project.
Qeustion:
If we are okay with internal objects being publicly accessible in this way, could we allow deduplication for private projects?
Edited by Bob Van Landuyt