What this means is git doesn't make sure that blobs match shas on fetch. Malicious control of source or network can insert nasty things and git won't notice. Solution is setting transfer.fsckobjects = true.