1SECURITY 2-------- 3The fetch and push protocols are not designed to prevent one side from 4stealing data from the other repository that was not intended to be 5shared. If you have private data that you need to protect from a malicious 6peer, your best option is to store it in another repository. This applies 7to both clients and servers. In particular, namespaces on a server are not 8effective for read access control; you should only grant read access to a 9namespace to clients that you would trust with read access to the entire 10repository. 11 12The known attack vectors are as follows: 13 14. The victim sends "have" lines advertising the IDs of objects it has that 15 are not explicitly intended to be shared but can be used to optimize the 16 transfer if the peer also has them. The attacker chooses an object ID X 17 to steal and sends a ref to X, but isn't required to send the content of 18 X because the victim already has it. Now the victim believes that the 19 attacker has X, and it sends the content of X back to the attacker 20 later. (This attack is most straightforward for a client to perform on a 21 server, by creating a ref to X in the namespace the client has access 22 to and then fetching it. The most likely way for a server to perform it 23 on a client is to "merge" X into a public branch and hope that the user 24 does additional work on this branch and pushes it back to the server 25 without noticing the merge.) 26 27. As in #1, the attacker chooses an object ID X to steal. The victim sends 28 an object Y that the attacker already has, and the attacker falsely 29 claims to have X and not Y, so the victim sends Y as a delta against X. 30 The delta reveals regions of X that are similar to Y to the attacker.