From 6dd8d923d9e5e3ba0a86f61481c6cd68777642b6 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Thu, 1 Oct 2015 16:12:35 -0400
Subject: [PATCH] devblog

---
 doc/devblog/day_321__download_verification.mdwn | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 doc/devblog/day_321__download_verification.mdwn

diff --git a/doc/devblog/day_321__download_verification.mdwn b/doc/devblog/day_321__download_verification.mdwn
new file mode 100644
index 0000000000..e8c944364a
--- /dev/null
+++ b/doc/devblog/day_321__download_verification.mdwn
@@ -0,0 +1,13 @@
+While at the DerbyCon security conference, I got to thinking about
+verifying objects that git-annex downloads from remotes. This can be
+expensive for big files, so git-annex has never done it at download time,
+instead deferring it to fsck time. But, that is a divergence from git,
+which always verifies checksums of objects it receives. So, it violates
+least surprise for git-annex to not verify checksums too. And this could
+weaken security in some use cases.
+
+So, today I changed that. Now whenever git-annex accepts an object into
+.git/annex/objects, it first verifies its checksum and size. I did add a
+setting to disable that and get back the old behavior: `git config
+annex.verify false`, and there's also a per-remote setting if you want to
+verify content from some remotes but not others.