From: Elliott Cable <me@ell.io>
To: Jeff King <peff@peff.net>
Cc: Dennis Kaarsemaker <dennis.kaarsemaker@booking.com>,
Git Mailing List <git@vger.kernel.org>,
bmwill@google.com
Subject: Re: persistent-https, url insteadof, and `git submodule`
Date: Fri, 26 May 2017 11:22:37 -0500 [thread overview]
Message-ID: <CAPZ477PoSXqahxaQVpO+m==vng==o4vQahrg_WA8Oeh7wmoW0w@mail.gmail.com> (raw)
In-Reply-To: <20170520070757.jekykxagzze3t2wy@sigill.intra.peff.net>
Hi! Thanks for the responses (I hope reply-all isn't bad mailing-list
etiquette? Feel free to yell at with a direct reply!). For whatever it's
worth, as a random user, here's my thoughts:
On Sat, May 20, 2017 at 2:07 AM, Jeff King <peff@peff.net> wrote:
> On Fri, May 19, 2017 at 11:55:34PM +0200, Dennis Kaarsemaker wrote:
>> > On Fri, 2017-05-19 at 14:57 -0500, Elliott Cable wrote:
>> > > Presumably this isn't intended behaviour?
>> >
>> > It actually is. git-submodule sets GIT_PROTOCOL_FROM_USER to 0, which
>> > makes git not trust any urls except http(s), git, ssh and file urls
>> > unless you explicitely configure git to allow it. See the
>> > GIT_ALLOW_PROTOCOL section in man git and the git-config section it
>> > links to.
>>
>> 33cfccbbf3 (submodule: allow only certain protocols for submodule
>> fetches, 2015-09-16) says:
>> [...]
>> But doing it this way is
>> simpler, and makes it much less likely that we would miss a
>> case. And since such protocols should be an exception
>> (especially because nobody who clones from them will be able
>> to update the submodules!), it's not likely to inconvenience
>> anyone in practice.
>
> The other approach is to declare that a url rewrite resets the
> protocol-from-user flag to 1. IOW, since the "persistent-https" protocol
> comes from our local config, it's not dangerous and we should behave as
> if the user themselves gave it to us. That makes Elliott's case work out
> of the box.
Well, now that I'm aware of security concerns, `GIT_PROTOCOL_FROM_USER`
and `GIT_ALLOW_PROTOCOL`, and so on, I wouldn't *at all* expect
`insteadOf` to disable that behaviour. Instead, one of two things seems
like a more ideal solution:
1. Most simply, better documentation: mention `GIT_PROTOCOL_FROM_USER`
explicitly in the documentation of/near `insteadOf`, most
particularly in the README for `contrib/persistent-https`.
2. Possibly, special-case “higher-security” porcelain (like
`git-submodule`, as described in 33cfccbbf3) to ignore `insteadOf`
rewrite-rules without additional, special configuration. This way,
`git-submodule` works for ignorant users (like me) out of the box,
just as it previously did, and there's no possible security
compramise.
Just my 2¢ — thanks for your tireless contributions, loves. <3
⁓ ELLIOTTCABLE — fly safe.
http://ell.io/tt
next prev parent reply other threads:[~2017-05-26 16:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 19:57 persistent-https, url insteadof, and `git submodule` Elliott Cable
2017-05-19 21:43 ` Dennis Kaarsemaker
2017-05-19 21:55 ` Dennis Kaarsemaker
2017-05-20 7:07 ` Jeff King
2017-05-26 16:22 ` Elliott Cable [this message]
2017-05-31 4:50 ` Jeff King
2017-05-31 14:23 ` Ævar Arnfjörð Bjarmason
2017-05-31 21:22 ` Jeff King
2017-05-31 5:18 ` [PATCH] docs/config: mention protocol implications of url.insteadOf Jeff King
2017-06-01 0:15 ` Brandon Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPZ477PoSXqahxaQVpO+m==vng==o4vQahrg_WA8Oeh7wmoW0w@mail.gmail.com' \
--to=me@ell.io \
--cc=bmwill@google.com \
--cc=dennis.kaarsemaker@booking.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).