Re: status on security of embedded repos?

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Christoph Anton Mitterer <calestyo@scientia.org>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: git@vger.kernel.org
Subject: Re: status on security of embedded repos?
Date: Mon, 05 Sep 2022 15:22:14 +0200	[thread overview]
Message-ID: <c209dc21f6826bbb60d75450e6f7f9ff2258d18c.camel@scientia.org> (raw)
In-Reply-To: <6sq30r84-1s65-91n4-5qoq-23s9q433sno1@tzk.qr>

Hey Johannes.

Thanks.

Is it known whether this will automatically prevent the issue also for
any 3rd party modules for git?
I mean is special action needed by them to consider the option? Or is
it likely that there are some which manually discover the git config
and could thereby still suffer from the vulnerability.

I assume the same wouldn't be possible for non-bare embedded repos? I
tried to try this, but when git add(ing) such repo, it already warns
that the embedded (non-bare) repo would not be included in clones.

On Mon, 2022-09-05 at 12:21 +0200, Johannes Schindelin wrote:
> Note: The default will still be at `safe.bareRepository = all`.

That seems like a not so secure default, given that probably only few
people will ever encounter embedded bare repos.

OTOH, the attack surface seems rather big, if one just needs to clone
some arbitrary repo where one wants to look at some code, and is then
in principle already fully vulnerable?!

Thanks,
Chris.

next prev parent reply	other threads:[~2022-09-05 13:29 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-03 18:48 status on security of embedded repos? Christoph Anton Mitterer
2022-09-05 10:21 ` Johannes Schindelin
2022-09-05 13:22   ` Christoph Anton Mitterer [this message]
2022-09-06 13:56     ` Johannes Schindelin
2022-09-07 14:05       ` Christoph Anton Mitterer
2022-09-08 16:56         ` Glen Choo
2022-09-09  0:05           ` Christoph Anton Mitterer
2022-09-09 18:26             ` Christoph Anton Mitterer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c209dc21f6826bbb60d75450e6f7f9ff2258d18c.camel@scientia.org \
    --to=calestyo@scientia.org \
    --cc=Johannes.Schindelin@gmx.de \
    --cc=git@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).