From: <rsbecker@nexbridge.com>
To: "'Taylor Blau'" <me@ttaylorr.com>, "'Michael Lohmann'" <git@lohmann.sh>
Cc: <git@vger.kernel.org>
Subject: RE: [RCF] Secure git against involuntary arb. code execution without feature loss
Date: Wed, 8 Oct 2025 17:34:56 -0400 [thread overview]
Message-ID: <020201dc389b$677305f0$365911d0$@nexbridge.com> (raw)
In-Reply-To: <aObX4C7lMHRnjbYq@nand.local>
On October 8, 2025 5:30 PM, Taylor Blau wrote:
>On Wed, Oct 08, 2025 at 11:02:03PM +0200, Michael Lohmann wrote:
>> * Proposed solution (keeping all existing features):
>> - On first use, git generates a secret "token" (e.g. a random string in
>> ~/.gitsecret)
>> - On calling `git init` or `git clone`, the secret is copied into the
>> new .git directory and serves as proof that this clone was created by
>> this user
>
>Sure, but the problem is not with direct clones (at least, not using the --local
>optimization), but with clones that recursively clone other submodules.
>
>If I clone a repository with --recurse-submodules, I imagine that this proposal
>would *not* suggest copying this token into the recursively cloned submodules,
>right?
>proposal improves the experience
>
>> - Editors would no longer need to prompt the user for "Do you trust this
>> repository?" in most cases, because git could prove the clone is user
>> generated.
>
>If the above is true (that Git would not copy the token into recursively cloned
>submodules), then I admit to struggling a bit to see how this proposal would
>remove the need to consult the user in this case. Instead of the editor doing it, the
>user would need to do it themselves?
I am wondering why this approach cannot be made more general. If there is
a tokenization framework built into git that organizations can use for integration,
they should be able to plug-in their own approved tokenization solutions, which
have already been vetted by the security groups. I am concerned that we are
potentially opening up git to CVEs due to insufficiently secure tokens that are
outside our specific domain.
--Randall
next prev parent reply other threads:[~2025-10-08 21:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-08 21:02 [RCF] Secure git against involuntary arb. code execution without feature loss Michael Lohmann
2025-10-08 21:30 ` Taylor Blau
2025-10-08 21:34 ` rsbecker [this message]
2025-10-08 21:49 ` Taylor Blau
2025-10-08 22:09 ` Michael Lohmann
2025-10-08 21:35 ` brian m. carlson
2025-10-08 22:25 ` Michael Lohmann
2025-10-09 5:24 ` Jeff King
2025-10-09 22:43 ` Michael Lohmann
2025-10-13 9:57 ` Submitted patches for "assume unsafe" Michael Lohmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='020201dc389b$677305f0$365911d0$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=git@lohmann.sh \
--cc=git@vger.kernel.org \
--cc=me@ttaylorr.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).