RE: [RFC PATCH 0/2] Allow adding .git files and directories

["Randall S. Becker" <rsbecker@nexbridge.com>]

On August 19, 2020 2:48 PM, Lukas Straub wrote:
> To: Junio C Hamano <gitster@pobox.com>
> Cc: git <git@vger.kernel.org>; Elijah Newren <newren@gmail.com>;
> Brandon Williams <bwilliams.eng@gmail.com>; Johannes Schindelin
> <Johannes.Schindelin@gmx.de>; Jeff King <peff@peff.net>
> Subject: Re: [RFC PATCH 0/2] Allow adding .git files and directories
> 
> On Wed, 19 Aug 2020 11:03:30 -0700
> Junio C Hamano <gitster@pobox.com> wrote:
> 
> > Lukas Straub <lukasstraub2@web.de> writes:
> >
> > > These patches allow this and work well in a quick test. Of course
> > > some tests fail because with this the handling of nested git repos
> changed.
> >
> > In other words, this breaks the workflow existing users rely on,
> > right?  I do not know if such a behaviour ever needs to exist even as
> > an opt-in feature, but it definitely feels wrong to make the behaviour
> > these patches introduce the default.
> 
> Well, the current behavior is that nested repos (that are not submodules)
are
> completely ignored and none of the files within can be added. So the old
> behavior can be restored with .gitignore. The same goes for files/dirs
named
> .git.
> 
> Of course I don't know what the current policy for behavioral changes in
git
> is, but I see that there have been such changes in the past.

I honestly am concerned about a repeat of things like
https://nvd.nist.gov/vuln/detail/CVE-2019-19604 (the submodule update
problem). This change in behaviour is of serious concern from a risk
standpoint. To be blunt, I don't think users on my platform will move to a
version of git that supports this by default.

Sincerely,
Randall

-- Brief whoami:
 NonStop developer since approximately 211288444200000000
 UNIX developer since approximately 421664400
-- In my real life, I talk too much.